Extracting prog: 6m6.710656633s
Minimizing prog: 14m29.783206573s
Simplifying prog options: 0s
Extracting C: 2m0.904437213s
Simplifying C: 7m50.81419209s


extracting reproducer from 30 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$tun-ioctl$TUNSETIFF-socket$nl_route-socket$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route_sched
detailed listing:
executing program 0:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
r1 = socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$unix(0x1, 0x1, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'syzkaller0\x00', <r3=>0x0})
sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000880)=@newqdisc={0x34, 0x24, 0x4ee4e6a52ff56541, 0x60bd2b, 0xffffffff, {0x0, 0x0, 0x0, r3, {0x0, 0xa}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x4}}]}, 0x34}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$bt_hci-socket$nl_route-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-syz_pidfd_open-socket$nl_route-sendmsg$nl_route_sched-bpf$MAP_CREATE-openat$ptmx-ioctl$TIOCSETD-ioctl$TCFLSH-ioctl$TIOCSTI
detailed listing:
executing program 0:
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$nl_route(0x10, 0x3, 0x0)
prlimit64(0x0, 0xe, &(0x7f0000000040)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x8)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000000)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
syz_pidfd_open(r0, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000040)=@newtaction={0x68, 0x31, 0x1, 0x0, 0x0, {0x0, 0x0, 0x1300}, [{0x54, 0x1, [@m_mirred={0x50, 0x1, 0x0, 0x0, {{0xb}, {0x24, 0x3, 0x0, 0x1, [@TCA_MIRRED_PARMS={0x20, 0x2, {{0x0, 0x0, 0x0, 0x0, 0x1ff}}}]}, {0x4}, {0xc}, {0xc}}}]}]}, 0x68}, 0x1, 0x0, 0x0, 0x40}, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="0a00000004000000fd0f000007"], 0x48)
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100), 0xc2240, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000080)=0xf)
ioctl$TCFLSH(r4, 0x400455c8, 0x4)
ioctl$TIOCSTI(r4, 0x5412, &(0x7f0000000040)=0x32)

program did not crash
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet_tcp-epoll_create1-fcntl$dupfd-epoll_create1-syz_open_dev$tty1-syz_usb_connect-close-syz_usb_control_io-syz_open_dev$char_usb-syz_usb_disconnect-socket$inet_icmp_raw-ioctl$PPPIOCNEWUNIT-sendmsg$nl_route-sendmsg$nl_route-sendmsg$inet-syz_open_procfs-socket$nl_netfilter-sendmsg$IPCTNL_MSG_CT_GET_UNCONFIRMED-epoll_ctl$EPOLL_CTL_ADD-openat$ubi_ctrl-seccomp$SECCOMP_SET_MODE_FILTER_LISTENER-openat$sysfs-epoll_ctl$EPOLL_CTL_ADD
detailed listing:
executing program 0:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
r1 = epoll_create1(0x0)
fcntl$dupfd(r0, 0x406, r0)
r2 = epoll_create1(0x0)
syz_open_dev$tty1(0xc, 0x4, 0x3)
r3 = syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb23610000000109022d0001100000000904000003fe03010009cd8d1f00020000000905050200de7e001009058b1e20"], 0x0)
close(0x3)
syz_usb_control_io(r3, 0x0, &(0x7f0000000300)={0x84, &(0x7f0000000080)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_open_dev$char_usb(0xc, 0xb4, 0x0)
syz_usb_disconnect(r3)
socket$inet_icmp_raw(0x2, 0x3, 0x1)
ioctl$PPPIOCNEWUNIT(0xffffffffffffffff, 0xc004743e, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="240041233ffca92dd4a6000000004000020000040000000000"], 0x24}, 0x1, 0x0, 0x0, 0x240480d4}, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB], 0x28}}, 0x0)
sendmsg$inet(0xffffffffffffffff, &(0x7f0000000780)={&(0x7f0000000100)={0x2, 0x0, @multicast1}, 0x10, &(0x7f0000001600), 0x0, &(0x7f0000000c80)=ANY=[@ANYBLOB="1000000000000000e2a8068e1ee7ce37"], 0x10}, 0x0)
syz_open_procfs(0x0, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_GET_UNCONFIRMED(r4, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000001c0)={0x0}, 0x1, 0x0, 0x0, 0x4000004}, 0x4000)
epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r1, &(0x7f0000000000)={0x20000002})
openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0x101000, 0x0)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x3d, &(0x7f0000000040)={0x1, &(0x7f0000000080)=[{0x6, 0x2, 0x0, 0x7ffffdbd}]})
openat$sysfs(0xffffffffffffff9c, &(0x7f0000000040)='/sys/firmware/fdt', 0x64a100, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r0, &(0x7f0000000080)={0x90000014})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$tty1-socket$inet-prlimit64-sched_setscheduler-getpid-sched_setaffinity-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-sched_setaffinity-recvmmsg-gettid-fsconfig$FSCONFIG_CMD_CREATE-sendmsg$nl_route-syz_open_procfs-tkill-openat$dsp-ioctl$SNDCTL_DSP_SPEED-write$dsp
detailed listing:
executing program 0:
syz_open_dev$tty1(0xc, 0x4, 0x1)
socket$inet(0x2, 0x1, 0x100)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
r0 = getpid()
sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x2)
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x4)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeef, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@file={0x0, './file0\x00'}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x400000000000041, 0x0)
sched_setaffinity(r0, 0x8, &(0x7f0000000240)=0x2)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r3 = gettid()
fsconfig$FSCONFIG_CMD_CREATE(0xffffffffffffffff, 0x6, 0x0, 0x0, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000300)=ANY=[@ANYBLOB="d70000001800010025bd7000fddbdf251d0104001e01060001100e40ff71ec6d721744080000f8cfcad4c4ec6511ec028c5028564abce83afe14c93e15e556c2baed7f897fe841c155a2b2a4b9f3052995cdf66a8d7922ff0300005b6c67281f1519cd7c32c2bf7563b9452575505da99ea128d37616896be8764a2c78edbad5bde7a5e405bdc893770338925f824bd24689c0d11a5568fc3aaa9ad0d7766d8ea8d3bf1006e3df494e2f373148ecb4adafdd39874e9808b118301f1e76054a64c6d243523f5de7b347f3b740e105d0ed18fae7289635301ebd8949268090b3bcd4cbed5f1cfe93cff41a9630802f96defe9e8ea850529827c5e301953a8abaafa1f121e590f74e28233f4129d4587eee87"], 0x14c}}, 0x4c0c8)
syz_open_procfs(0x0, &(0x7f0000000100)='map_files\x00')
tkill(r3, 0xb)
r4 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000), 0x42f82, 0x0)
ioctl$SNDCTL_DSP_SPEED(r4, 0xc0045002, &(0x7f0000000180))
write$dsp(r4, &(0x7f00000001c0)="5cba91a4", 0xffffffd9)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="00221b00"], 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
single: successfully extracted reproducer
found reproducer with 3 syscalls
minimizing guilty program
testing program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)

program did not crash
testing program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="00221b00"], 0x0}, 0x0)

program did not crash
testing program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
syz_usb_control_io$hid(0xffffffffffffffff, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="00221b00"], 0x0}, 0x0)

program did not crash
testing program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="00221b00"], 0x0}, 0x0)

program did not crash
testing program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="00221b00"], 0x0}, 0x0)

program did not crash
testing program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)

program did not crash
program did not crash
testing program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB], 0x0}, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=45.215278533s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
simplifying C reproducer
testing compiled C program (duration=45.215278533s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
testing compiled C program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
testing compiled C program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
testing compiled C program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
testing compiled C program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
testing compiled C program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
testing compiled C program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
testing program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="00221b00"], 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
validation run: crashed=true
testing program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="00221b00"], 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
validation run: crashed=true
testing program (duration=45.215278533s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x2, 0x3f, &(0x7f0000000000)=ANY=[@ANYBLOB="12010000000a0010c410cf8a00000000000109022d00010000000009040000020300000009210000000122050009058103"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000600)={0x24, 0x0, 0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="00221b00"], 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in u2fzero_rng_read
validation run: crashed=true
reproducing took 34m59.496505203s
repro crashed as (corrupted=false):
hid-u2fzero 0003:10C4:8ACF.0001: unknown main item tag 0x0
hid-u2fzero 0003:10C4:8ACF.0001: hidraw0: USB HID v0.00 Device [HID 10c4:8acf] on usb-dummy_hcd.0-1/input0
hid-u2fzero 0003:10C4:8ACF.0001: U2F Zero LED initialised
Unable to handle kernel paging request at virtual address dfff800000000015
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000015] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4386 Comm: kworker/0:13 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Workqueue: usb_hub_wq hub_event
pstate: 02400005 (nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : u2fzero_recv drivers/hid/hid-u2fzero.c:137 [inline]
pc : u2fzero_rng_read+0x210/0x5ec drivers/hid/hid-u2fzero.c:223
lr : u2fzero_recv drivers/hid/hid-u2fzero.c:135 [inline]
lr : u2fzero_rng_read+0x1ec/0x5ec drivers/hid/hid-u2fzero.c:223
sp : ffff800020c66520
x29: ffff800020c66690 x28: ffff70000418ccac x27: 00000000000000a8
x26: ffff0000dc661088 x25: ffff0000dc661438 x24: ffff800020c66580
x23: ffff0000dc661080 x22: 1fffe0001b8cc287 x21: 1fffe0001b8cc211
x20: ffff0000dc661320 x19: dfff800000000000 x18: ffff800011b7bf60
x17: ffff800018338000 x16: ffff8000082d11b8 x15: ffff800017e19000
x14: ffff60001ab10318 x13: 1fffe0001ab10310 x12: 0000000000000001
x11: ffffffffffffffff x10: dfff800000000000 x9 : 0000000000000001
x8 : 0000000000000015 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff8000184faee0 x4 : 000000000000000a x3 : 0000000000000030
x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff0000d5881886
Call trace:
 u2fzero_recv drivers/hid/hid-u2fzero.c:137 [inline]
 u2fzero_rng_read+0x210/0x5ec drivers/hid/hid-u2fzero.c:223
 rng_get_data drivers/char/hw_random/core.c:201 [inline]
 add_early_randomness+0x88/0x16c drivers/char/hw_random/core.c:73
 hwrng_register+0x37c/0x42c drivers/char/hw_random/core.c:593
 devm_hwrng_register+0x50/0xcc drivers/char/hw_random/core.c:665
 u2fzero_init_hwrng+0x108/0x144 drivers/hid/hid-u2fzero.c:266
 u2fzero_probe+0x300/0x3f0 drivers/hid/hid-u2fzero.c:359
 hid_device_probe+0x22c/0x324 drivers/hid/hid-core.c:2646
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x39c/0xacc drivers/base/dd.c:639
 __driver_probe_device+0x180/0x310 drivers/base/dd.c:785
 driver_probe_device+0x78/0x324 drivers/base/dd.c:815
 __device_attach_driver+0x290/0x4d4 drivers/base/dd.c:943
 bus_for_each_drv+0x154/0x1e4 drivers/base/bus.c:429
 __device_attach+0x2ac/0x3dc drivers/base/dd.c:1015
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf90 drivers/base/core.c:3697
 hid_add_device+0x310/0x4c4 drivers/hid/hid-core.c:2798
 usbhid_probe+0x90c/0xc8c drivers/hid/usbhid/hid-core.c:1427
 usb_probe_interface+0x514/0x99c drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x39c/0xacc drivers/base/dd.c:639
 __driver_probe_device+0x180/0x310 drivers/base/dd.c:785
 driver_probe_device+0x78/0x324 drivers/base/dd.c:815
 __device_attach_driver+0x290/0x4d4 drivers/base/dd.c:943
 bus_for_each_drv+0x154/0x1e4 drivers/base/bus.c:429
 __device_attach+0x2ac/0x3dc drivers/base/dd.c:1015
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf90 drivers/base/core.c:3697
 usb_set_configuration+0x1594/0x1b04 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x144 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x258 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x39c/0xacc drivers/base/dd.c:639
 __driver_probe_device+0x180/0x310 drivers/base/dd.c:785
 driver_probe_device+0x78/0x324 drivers/base/dd.c:815
 __device_attach_driver+0x290/0x4d4 drivers/base/dd.c:943
 bus_for_each_drv+0x154/0x1e4 drivers/base/bus.c:429
 __device_attach+0x2ac/0x3dc drivers/base/dd.c:1015
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf90 drivers/base/core.c:3697
 usb_new_device+0x7f8/0x11e4 drivers/usb/core/hub.c:2659
 hub_port_connect drivers/usb/core/hub.c:5517 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5657 [inline]
 port_event drivers/usb/core/hub.c:5817 [inline]
 hub_event+0x2248/0x3dd8 drivers/usb/core/hub.c:5899
 process_one_work+0x7f8/0x13a4 kernel/workqueue.c:2292
 worker_thread+0x8c4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
Code: 9654c342 f9400348 9102a11b d343ff68 (38736908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	9654c342 	bl	0xfffffffff9530d08
   4:	f9400348 	ldr	x8, [x26]
   8:	9102a11b 	add	x27, x8, #0xa8
   c:	d343ff68 	lsr	x8, x27, #3
* 10:	38736908 	ldrb	w8, [x8, x19] <-- trapping instruction

final repro crashed as (corrupted=false):
hid-u2fzero 0003:10C4:8ACF.0001: unknown main item tag 0x0
hid-u2fzero 0003:10C4:8ACF.0001: hidraw0: USB HID v0.00 Device [HID 10c4:8acf] on usb-dummy_hcd.0-1/input0
hid-u2fzero 0003:10C4:8ACF.0001: U2F Zero LED initialised
Unable to handle kernel paging request at virtual address dfff800000000015
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000015] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4386 Comm: kworker/0:13 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Workqueue: usb_hub_wq hub_event
pstate: 02400005 (nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : u2fzero_recv drivers/hid/hid-u2fzero.c:137 [inline]
pc : u2fzero_rng_read+0x210/0x5ec drivers/hid/hid-u2fzero.c:223
lr : u2fzero_recv drivers/hid/hid-u2fzero.c:135 [inline]
lr : u2fzero_rng_read+0x1ec/0x5ec drivers/hid/hid-u2fzero.c:223
sp : ffff800020c66520
x29: ffff800020c66690 x28: ffff70000418ccac x27: 00000000000000a8
x26: ffff0000dc661088 x25: ffff0000dc661438 x24: ffff800020c66580
x23: ffff0000dc661080 x22: 1fffe0001b8cc287 x21: 1fffe0001b8cc211
x20: ffff0000dc661320 x19: dfff800000000000 x18: ffff800011b7bf60
x17: ffff800018338000 x16: ffff8000082d11b8 x15: ffff800017e19000
x14: ffff60001ab10318 x13: 1fffe0001ab10310 x12: 0000000000000001
x11: ffffffffffffffff x10: dfff800000000000 x9 : 0000000000000001
x8 : 0000000000000015 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff8000184faee0 x4 : 000000000000000a x3 : 0000000000000030
x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff0000d5881886
Call trace:
 u2fzero_recv drivers/hid/hid-u2fzero.c:137 [inline]
 u2fzero_rng_read+0x210/0x5ec drivers/hid/hid-u2fzero.c:223
 rng_get_data drivers/char/hw_random/core.c:201 [inline]
 add_early_randomness+0x88/0x16c drivers/char/hw_random/core.c:73
 hwrng_register+0x37c/0x42c drivers/char/hw_random/core.c:593
 devm_hwrng_register+0x50/0xcc drivers/char/hw_random/core.c:665
 u2fzero_init_hwrng+0x108/0x144 drivers/hid/hid-u2fzero.c:266
 u2fzero_probe+0x300/0x3f0 drivers/hid/hid-u2fzero.c:359
 hid_device_probe+0x22c/0x324 drivers/hid/hid-core.c:2646
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x39c/0xacc drivers/base/dd.c:639
 __driver_probe_device+0x180/0x310 drivers/base/dd.c:785
 driver_probe_device+0x78/0x324 drivers/base/dd.c:815
 __device_attach_driver+0x290/0x4d4 drivers/base/dd.c:943
 bus_for_each_drv+0x154/0x1e4 drivers/base/bus.c:429
 __device_attach+0x2ac/0x3dc drivers/base/dd.c:1015
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf90 drivers/base/core.c:3697
 hid_add_device+0x310/0x4c4 drivers/hid/hid-core.c:2798
 usbhid_probe+0x90c/0xc8c drivers/hid/usbhid/hid-core.c:1427
 usb_probe_interface+0x514/0x99c drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x39c/0xacc drivers/base/dd.c:639
 __driver_probe_device+0x180/0x310 drivers/base/dd.c:785
 driver_probe_device+0x78/0x324 drivers/base/dd.c:815
 __device_attach_driver+0x290/0x4d4 drivers/base/dd.c:943
 bus_for_each_drv+0x154/0x1e4 drivers/base/bus.c:429
 __device_attach+0x2ac/0x3dc drivers/base/dd.c:1015
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf90 drivers/base/core.c:3697
 usb_set_configuration+0x1594/0x1b04 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x144 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x258 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x39c/0xacc drivers/base/dd.c:639
 __driver_probe_device+0x180/0x310 drivers/base/dd.c:785
 driver_probe_device+0x78/0x324 drivers/base/dd.c:815
 __device_attach_driver+0x290/0x4d4 drivers/base/dd.c:943
 bus_for_each_drv+0x154/0x1e4 drivers/base/bus.c:429
 __device_attach+0x2ac/0x3dc drivers/base/dd.c:1015
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf90 drivers/base/core.c:3697
 usb_new_device+0x7f8/0x11e4 drivers/usb/core/hub.c:2659
 hub_port_connect drivers/usb/core/hub.c:5517 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5657 [inline]
 port_event drivers/usb/core/hub.c:5817 [inline]
 hub_event+0x2248/0x3dd8 drivers/usb/core/hub.c:5899
 process_one_work+0x7f8/0x13a4 kernel/workqueue.c:2292
 worker_thread+0x8c4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850
Code: 9654c342 f9400348 9102a11b d343ff68 (38736908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	9654c342 	bl	0xfffffffff9530d08
   4:	f9400348 	ldr	x8, [x26]
   8:	9102a11b 	add	x27, x8, #0xa8
   c:	d343ff68 	lsr	x8, x27, #3
* 10:	38736908 	ldrb	w8, [x8, x19] <-- trapping instruction