Extracting prog: 2m15.84216423s
Minimizing prog: 1h4m37.223614909s
Simplifying prog options: 0s
Extracting C: 34.708341871s
Simplifying C: 15m16.044596558s


extracting reproducer from 31 programs
testing a last program of every proc
single: executing 6 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark-socket$can_j1939-bind$can_j1939-syz_genetlink_get_family_id$nl80211-epoll_pwait2-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-close_range-mmap-sendmsg$nl_route
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
r3 = epoll_create1(0x80000)
r4 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r4, 0x0, 0x0)
syz_usb_control_io$printer(r4, 0x0, 0x0)
r5 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r5, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r4, 0x0, 0x0)
syz_usb_control_io$hid(r4, 0x0, 0x0)
syz_usb_control_io$uac2(r4, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)
r6 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r6, &(0x7f0000000080)={0x1d, 0x0, 0x3, {0x2, 0xf0, 0x1}, 0xff}, 0x18)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000d80), r6)
epoll_pwait2(r3, &(0x7f0000000540)=[{}], 0x1, &(0x7f00000005c0)={0x0, 0x3938700}, &(0x7f0000000600), 0x8)
r7 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x2, 0x7fff7ffc}]})
close_range(r7, 0xffffffffffffffff, 0x200000000000000)
mmap(&(0x7f0000ff9000/0x3000)=nil, 0x3000, 0x1000000, 0x8010, r7, 0xcb995000)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x2, &(0x7f0000000580)={&(0x7f00000002c0)=ANY=[@ANYBLOB="3c00000010000304000180000000000000000000", @ANYRES32=0x0, @ANYBLOB="30080000000000001c00128009000100626f6e64000000000c0002800000070001000000"], 0x3c}, 0x1, 0xba01}, 0x4000010)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
single: successfully extracted reproducer
found reproducer with 28 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark-socket$can_j1939-bind$can_j1939-syz_genetlink_get_family_id$nl80211-epoll_pwait2-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-close_range-mmap
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
r3 = epoll_create1(0x80000)
r4 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r4, 0x0, 0x0)
syz_usb_control_io$printer(r4, 0x0, 0x0)
r5 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r5, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r4, 0x0, 0x0)
syz_usb_control_io$hid(r4, 0x0, 0x0)
syz_usb_control_io$uac2(r4, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)
r6 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r6, &(0x7f0000000080)={0x1d, 0x0, 0x3, {0x2, 0xf0, 0x1}, 0xff}, 0x18)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000d80), r6)
epoll_pwait2(r3, &(0x7f0000000540)=[{}], 0x1, &(0x7f00000005c0)={0x0, 0x3938700}, &(0x7f0000000600), 0x8)
r7 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x2, 0x7fff7ffc}]})
close_range(r7, 0xffffffffffffffff, 0x200000000000000)
mmap(&(0x7f0000ff9000/0x3000)=nil, 0x3000, 0x1000000, 0x8010, r7, 0xcb995000)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark-socket$can_j1939-bind$can_j1939-syz_genetlink_get_family_id$nl80211-epoll_pwait2-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-close_range
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
r3 = epoll_create1(0x80000)
r4 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r4, 0x0, 0x0)
syz_usb_control_io$printer(r4, 0x0, 0x0)
r5 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r5, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r4, 0x0, 0x0)
syz_usb_control_io$hid(r4, 0x0, 0x0)
syz_usb_control_io$uac2(r4, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)
r6 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r6, &(0x7f0000000080)={0x1d, 0x0, 0x3, {0x2, 0xf0, 0x1}, 0xff}, 0x18)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000d80), r6)
epoll_pwait2(r3, &(0x7f0000000540)=[{}], 0x1, &(0x7f00000005c0)={0x0, 0x3938700}, &(0x7f0000000600), 0x8)
r7 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x2, 0x7fff7ffc}]})
close_range(r7, 0xffffffffffffffff, 0x200000000000000)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark-socket$can_j1939-bind$can_j1939-syz_genetlink_get_family_id$nl80211-epoll_pwait2-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
r3 = epoll_create1(0x80000)
r4 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r4, 0x0, 0x0)
syz_usb_control_io$printer(r4, 0x0, 0x0)
r5 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r5, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r4, 0x0, 0x0)
syz_usb_control_io$hid(r4, 0x0, 0x0)
syz_usb_control_io$uac2(r4, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)
r6 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r6, &(0x7f0000000080)={0x1d, 0x0, 0x3, {0x2, 0xf0, 0x1}, 0xff}, 0x18)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000d80), r6)
epoll_pwait2(r3, &(0x7f0000000540)=[{}], 0x1, &(0x7f00000005c0)={0x0, 0x3938700}, &(0x7f0000000600), 0x8)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x2, 0x7fff7ffc}]})

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark-socket$can_j1939-bind$can_j1939-syz_genetlink_get_family_id$nl80211-epoll_pwait2
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
r3 = epoll_create1(0x80000)
r4 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r4, 0x0, 0x0)
syz_usb_control_io$printer(r4, 0x0, 0x0)
r5 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r5, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r4, 0x0, 0x0)
syz_usb_control_io$hid(r4, 0x0, 0x0)
syz_usb_control_io$uac2(r4, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)
r6 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r6, &(0x7f0000000080)={0x1d, 0x0, 0x3, {0x2, 0xf0, 0x1}, 0xff}, 0x18)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000d80), r6)
epoll_pwait2(r3, &(0x7f0000000540)=[{}], 0x1, &(0x7f00000005c0)={0x0, 0x3938700}, &(0x7f0000000600), 0x8)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark-socket$can_j1939-bind$can_j1939-syz_genetlink_get_family_id$nl80211
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r4 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r4, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0)
syz_usb_control_io$hid(r3, 0x0, 0x0)
syz_usb_control_io$uac2(r3, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r5, &(0x7f0000000080)={0x1d, 0x0, 0x3, {0x2, 0xf0, 0x1}, 0xff}, 0x18)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000d80), r5)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark-socket$can_j1939-bind$can_j1939
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r4 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r4, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0)
syz_usb_control_io$hid(r3, 0x0, 0x0)
syz_usb_control_io$uac2(r3, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)
r5 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r5, &(0x7f0000000080)={0x1d, 0x0, 0x3, {0x2, 0xf0, 0x1}, 0xff}, 0x18)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark-socket$can_j1939
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r4 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r4, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0)
syz_usb_control_io$hid(r3, 0x0, 0x0)
syz_usb_control_io$uac2(r3, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)
socket$can_j1939(0x1d, 0x2, 0x7)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2-fanotify_mark
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r4 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r4, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0)
syz_usb_control_io$hid(r3, 0x0, 0x0)
syz_usb_control_io$uac2(r3, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
fanotify_mark(0xffffffffffffffff, 0x422, 0x22, 0xffffffffffffffff, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$uac2
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r4 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r4, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0)
syz_usb_control_io$hid(r3, 0x0, 0x0)
syz_usb_control_io$uac2(r3, 0x0, &(0x7f0000000680)={0x44, &(0x7f0000000140)=ANY=[@ANYBLOB="0003000016712c0dc7a9b4cbd27bb9b14a00"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r4 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r4, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0)
syz_usb_control_io$hid(r3, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r4 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r4, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi-syz_usb_control_io$printer
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
r4 = syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})
syz_usb_control_io$printer(r4, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_connect$midi
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)
syz_usb_connect$midi(0x5, 0x5c, &(0x7f0000000180)={{0x12, 0x1, 0x110, 0x0, 0x0, 0x0, 0x40, 0x582, 0x89, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x4a, 0x1, 0x1, 0x2, 0x20, 0x7f, "", {{{0x9, 0x4, 0x0, 0x0, 0x2, 0x1, 0x3, 0x30, 0x3, [@midi_in_jack={0x6, 0x24, 0x2, 0x1, 0x4, 0x3}, @midi_in_jack={0x6, 0x24, 0x2, 0x0, 0x8, 0x5}], [{{0x9, 0x5, 0x0, 0x10, 0x40, 0x8, 0xa, 0x4e, {0xa, 0x25, 0x1, 0x6, "ec56af5d9c60"}}}, {{0x9, 0x5, 0x3, 0x2, 0x400, 0x5, 0x5, 0x6, {0x10, 0x25, 0x1, 0xc, "926ba233e328d07cfdb9bd12"}}}]}}}}}]}}, &(0x7f0000000900)={0xa, &(0x7f0000000200)={0xa, 0x6, 0x200, 0xfd, 0xd7, 0x9, 0x40, 0xb}, 0x30, &(0x7f0000000400)={0x5, 0xf, 0x30, 0x5, [@ptm_cap={0x3}, @ptm_cap={0x3}, @ssp_cap={0x10, 0x10, 0xa, 0x4, 0x1, 0xc0, 0xf00, 0xfff1, [0x0]}, @ss_cap={0xa, 0x10, 0x3, 0x2, 0x2, 0x4, 0x3, 0x9}, @wireless={0xb, 0x10, 0x1, 0xc, 0x81, 0x9, 0x9, 0x4, 0xb}]}, 0x5, [{0x7b, &(0x7f0000000700)=@string={0x7b, 0x3, "01ca58277f8e2efe55c704f49f5e9e1a83012a3e4b3e271fe0139b994f54bef6341b4ae03dc4dbb2dea40fcd015d0c67817cdf7a20dcba679e0a81aa6383e189e526c8f5694104a82526dc66d9065d7bd55080ece05a82ba3ae07a2162b44ff81853df20e355824ad30bfb3c16c4d4899bfd74ee8c416b5f24"}}, {0x21, &(0x7f0000000780)=@string={0x21, 0x3, "91d9cafd9fee3a595c2e605253710b752c0d0836ccf846366f1765de2569b2"}}, {0x91, &(0x7f00000007c0)=@string={0x91, 0x3, "7b23942b9aaf7dd61814c89d8eafaf62e8119915f3cc66adaf5b2759bb7cbfed16081149143dab83c37e2029f2f813b9beb9dd2fcab4789f073a5d6b2f96a679da31da231898282d40188dccbd4b7126dbbb06484ca0103fd59c4becf8db82ad6b887b00feac52a8f695df99cf2c33a473ff841639a654d5ceccd9d439b7683c3bc29795e83cad7475d2e938c17831"}}, {0x4, &(0x7f0000000880)=@lang_id={0x4, 0x3, 0xc0c}}, {0x4, &(0x7f00000008c0)=@lang_id={0x4, 0x3, 0x2409}}]})

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1-syz_usb_control_io$printer
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)
syz_usb_control_io$printer(r3, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect-syz_usb_control_io$uac1
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
r3 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)
syz_usb_control_io$uac1(r3, 0x0, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1-syz_usb_connect
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-epoll_create1
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
epoll_create1(0x80000)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-ioctl$UFFDIO_WRITEPROTECT-syz_usb_connect
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
ioctl$UFFDIO_WRITEPROTECT(0xffffffffffffffff, 0xc018aa06, &(0x7f0000000100)={{&(0x7f0000ffa000/0x3000)=nil, 0x3000}, 0x3})
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-fcntl$lock-syz_usb_connect
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
fcntl$lock(0xffffffffffffffff, 0x410, &(0x7f00000000c0)={0x1, 0x1, 0x1, 0xfffe})
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-ioctl$USBDEVFS_SUBMITURB-syz_usb_connect
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
ioctl$USBDEVFS_SUBMITURB(r1, 0x8038550a, &(0x7f0000000380)=@urb_type_bulk={0x3, {0x1, 0x1}, 0x13ff, 0x0, &(0x7f0000000340)='\x00', 0x1, 0x0, 0x0, 0x2, 0xfffffffc, 0x0, 0x0})
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-sendmsg$inet6-syz_usb_connect
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
sendmsg$inet6(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0xa, 0x4e21, 0x80000, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0xfffffffd}, 0x1c, 0x0, 0x0, &(0x7f00000003c0)=ANY=[], 0x28}, 0x4000841)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-setsockopt$inet6_IPV6_FLOWLABEL_MGR-syz_usb_connect
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
r2 = socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000280)={@mcast1, 0x800, 0x0, 0x103, 0x9}, 0x20)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-fremovexattr-syz_usb_connect
detailed listing:
executing program 0:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r1, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
socket$inet6(0xa, 0x2, 0x0)
fremovexattr(r0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-socket$inet6-syz_usb_connect
detailed listing:
executing program 0:
socket$nl_route(0x10, 0x3, 0x0)
r0 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r0, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
socket$inet6(0xa, 0x2, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-ioctl$USBDEVFS_DISCONNECT_CLAIM-syz_usb_connect
detailed listing:
executing program 0:
socket$nl_route(0x10, 0x3, 0x0)
r0 = syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r0, 0x8108551b, &(0x7f0000002600)={0x0, 0x0, "5a77bd318786aeb879ca62cdab2a02fa560186d85b25a5665a3247e500f61681905db88235f8a5447dd2a2ed6e91626f068881e50f68530c2b21a100efb76cba37ff3111d6847e0c7f719e169a596e5fc008daefba68f6222103472bc55704cdb72b4b996ed82ccb1eaae27969d008ba7d34171113d806726615380fe65a6a0a72e19c2b60bd6276fd8bb6363d10f70da60fd53ded22c87eb2be010e4a62fb73c33424b437bb192c9d06ea6ed04983fe5c5ca033dfce0a82575ef14eee686be0fc58e384f93a13e4e8bbf599394baea3a9ca1864f0a35d6cc38fca32ad6b39905a9727d2001457df7be7e1aefe3635b2ee97c143f28def4b73905ca14d90d1f6"})
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_open_dev$usbfs-syz_usb_connect
detailed listing:
executing program 0:
socket$nl_route(0x10, 0x3, 0x0)
syz_open_dev$usbfs(&(0x7f0000000080), 0x75, 0x109301)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_route-syz_usb_connect
detailed listing:
executing program 0:
socket$nl_route(0x10, 0x3, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB], 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000035ffaa20cd0caf104a380102030109021b0001000010000904590201801e2a00090582"], 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
validation run: crashed=true
reproducing took 1h26m55.987354966s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff888068860790 by task v4l_id/6109

CPU: 1 UID: 0 PID: 6109 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
 em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
 v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411
 do_dentry_open+0x785/0x14e0 fs/open.c:949
 vfs_open+0x3b/0x340 fs/open.c:1081
 do_open fs/namei.c:4677 [inline]
 path_openat+0x2e08/0x3860 fs/namei.c:4836
 do_file_open+0x23e/0x4a0 fs/namei.c:4865
 do_sys_openat2+0x113/0x200 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fab12aa7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffe4ebdf470 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fab131f7880 RCX: 00007fab12aa7407
RDX: 0000000000000000 RSI: 00007ffe4ebe0f1d RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe4ebdf6c0 R14: 00007fab1335e000 R15: 0000564305f824d8
 </TASK>

Allocated by task 10:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5380
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 10:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888068860000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1936 bytes inside of
 freed 8192-byte region [ffff888068860000, ffff888068862000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x68860
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fea7280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fea7280 dead000000000100 dead000000000122
head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001a21801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5864, tgid 5864 (syz-executor), ts 84638319906, free_ts 84507479864
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_noprof+0x474/0x760 mm/slub.c:5272
 kmalloc_noprof include/linux/slab.h:954 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 ops_init+0x7b/0x5c0 net/core/net_namespace.c:127
 setup_net+0x118/0x340 net/core/net_namespace.c:446
 copy_net_ns+0x50e/0x730 net/core/net_namespace.c:581
 create_new_namespaces+0x3e7/0x6a0 kernel/nsproxy.c:130
 unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:226
 ksys_unshare+0x51d/0x930 kernel/fork.c:3173
 __do_sys_unshare kernel/fork.c:3244 [inline]
 __se_sys_unshare kernel/fork.c:3242 [inline]
 __x64_sys_unshare+0x38/0x50 kernel/fork.c:3242
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5870 tgid 5870 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5573
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4538 [inline]
 slab_alloc_node mm/slub.c:4866 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4873
 alloc_filename fs/namei.c:142 [inline]
 do_getname+0x2e/0x250 fs/namei.c:182
 getname include/linux/fs.h:2512 [inline]
 class_filename_constructor include/linux/fs.h:2539 [inline]
 do_sys_openat2+0xca/0x200 fs/open.c:1365
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888068860680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888068860700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888068860780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888068860800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888068860880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff888068860790 by task v4l_id/6109

CPU: 1 UID: 0 PID: 6109 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
 em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
 v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411
 do_dentry_open+0x785/0x14e0 fs/open.c:949
 vfs_open+0x3b/0x340 fs/open.c:1081
 do_open fs/namei.c:4677 [inline]
 path_openat+0x2e08/0x3860 fs/namei.c:4836
 do_file_open+0x23e/0x4a0 fs/namei.c:4865
 do_sys_openat2+0x113/0x200 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fab12aa7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffe4ebdf470 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fab131f7880 RCX: 00007fab12aa7407
RDX: 0000000000000000 RSI: 00007ffe4ebe0f1d RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe4ebdf6c0 R14: 00007fab1335e000 R15: 0000564305f824d8
 </TASK>

Allocated by task 10:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5380
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 10:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888068860000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1936 bytes inside of
 freed 8192-byte region [ffff888068860000, ffff888068862000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x68860
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fea7280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fea7280 dead000000000100 dead000000000122
head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001a21801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5864, tgid 5864 (syz-executor), ts 84638319906, free_ts 84507479864
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_noprof+0x474/0x760 mm/slub.c:5272
 kmalloc_noprof include/linux/slab.h:954 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 ops_init+0x7b/0x5c0 net/core/net_namespace.c:127
 setup_net+0x118/0x340 net/core/net_namespace.c:446
 copy_net_ns+0x50e/0x730 net/core/net_namespace.c:581
 create_new_namespaces+0x3e7/0x6a0 kernel/nsproxy.c:130
 unshare_nsproxy_namespaces+0x11a/0x160 kernel/nsproxy.c:226
 ksys_unshare+0x51d/0x930 kernel/fork.c:3173
 __do_sys_unshare kernel/fork.c:3244 [inline]
 __se_sys_unshare kernel/fork.c:3242 [inline]
 __x64_sys_unshare+0x38/0x50 kernel/fork.c:3242
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5870 tgid 5870 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5573
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4538 [inline]
 slab_alloc_node mm/slub.c:4866 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4873
 alloc_filename fs/namei.c:142 [inline]
 do_getname+0x2e/0x250 fs/namei.c:182
 getname include/linux/fs.h:2512 [inline]
 class_filename_constructor include/linux/fs.h:2539 [inline]
 do_sys_openat2+0xca/0x200 fs/open.c:1365
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888068860680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888068860700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888068860780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888068860800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888068860880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================