Extracting prog: 5m51.993998122s
Minimizing prog: 11m6.165858279s
Simplifying prog options: 0s
Extracting C: 2m6.639033808s
Simplifying C: 10m50.149279713s


30 programs, timeouts [15s 1m40s 6m0s]
extracting reproducer from 30 programs
single: executing 5 programs separately with timeout 15s
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$evdev-ioctl$EVIOCGMTSLOTS
detailed listing:
executing program 0:
r0 = syz_open_dev$evdev(&(0x7f0000000000), 0x0, 0x0)
ioctl$EVIOCGMTSLOTS(r0, 0x8040450a, &(0x7f0000000600)=""/140)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet-socket$packet-ioctl$sock_SIOCGIFINDEX-sendmsg$inet
detailed listing:
executing program 0:
r0 = socket$inet(0x2, 0x2, 0x1)
r1 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000040)={'bridge_slave_0\x00', <r2=>0x0})
sendmsg$inet(r0, &(0x7f0000000380)={&(0x7f0000000300)={0x2, 0x0, @broadcast}, 0x10, &(0x7f00000000c0)=[{&(0x7f0000000400)='\b\x00', 0x2}, {&(0x7f0000000180)="96bc1480bb58", 0x6}], 0x2, &(0x7f0000000240)=[@ip_pktinfo={{0x1c, 0x0, 0x8, {r2, @rand_addr, @remote}}}], 0x20}, 0x0)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-bpf$ENABLE_STATS-getpid-process_vm_readv-socket$alg-bind$alg-accept$alg-sendmmsg$alg
detailed listing:
executing program 0:
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000000000000000000004b64ffec850000006d000000670000000500000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x2}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000180)='tlb_flush\x00', r0}, 0x10)
bpf$ENABLE_STATS(0x20, 0x0, 0x0)
r1 = getpid()
process_vm_readv(r1, &(0x7f0000008400)=[{&(0x7f0000000300)=""/54, 0x7ffff000}, {&(0x7f0000006180)=""/152, 0x98}], 0x2, &(0x7f0000008640)=[{&(0x7f0000008480)=""/95, 0x7ffff000}], 0x286, 0x0)
r2 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r2, &(0x7f0000000340)={0x26, 'hash\x00', 0x0, 0x0, 'wp512-generic\x00'}, 0x58)
r3 = accept$alg(r2, 0x0, 0x0)
sendmmsg$alg(r3, &(0x7f0000000b80)=[{0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000000100)='v', 0xf4240}], 0x1}], 0x1, 0x8004)

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): getpid-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-sched_setscheduler-openat$binderfs-ioctl$BINDER_WRITE_READ-openat$sysfs-write$P9_RUNLINKAT-ioctl$BINDER_WRITE_READ-socket$tipc-syz_open_dev$media-syz_emit_vhci-ioctl$MEDIA_IOC_ENUM_LINKS-syz_open_dev$media-ioctl$MEDIA_IOC_G_TOPOLOGY-syz_open_dev$media-ioctl$MEDIA_IOC_ENUM_LINKS-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_RAW_TRACEPOINT_OPEN-syz_init_net_socket$bt_l2cap-ioctl$FS_IOC_GETFSLABEL
detailed listing:
executing program 0:
getpid()
sched_setscheduler(0x0, 0x0, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r1, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x4)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0x400c620e, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
r3 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/kernel/profiling', 0x22042, 0x0)
write$P9_RUNLINKAT(r3, &(0x7f0000000040)={0x2d}, 0x7)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, 0x0)
socket$tipc(0x1e, 0x0, 0x0)
r4 = syz_open_dev$media(&(0x7f0000000080), 0x3f, 0x0)
syz_emit_vhci(0x0, 0x17)
ioctl$MEDIA_IOC_ENUM_LINKS(0xffffffffffffffff, 0xc0287c02, 0x0)
r5 = syz_open_dev$media(&(0x7f00000001c0), 0x4, 0x0)
ioctl$MEDIA_IOC_G_TOPOLOGY(r5, 0xc0487c04, 0x0)
syz_open_dev$media(&(0x7f0000000000), 0x0, 0x0)
ioctl$MEDIA_IOC_ENUM_LINKS(r4, 0xc0287c02, &(0x7f0000000180)={0x80000000, 0x0, &(0x7f0000000400)})
r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000014c0)={0x11, 0x3, &(0x7f0000000100)=ANY=[@ANYBLOB="18000000000000000000000000ed000095"], &(0x7f00000000c0)='syzkaller\x00'}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000200)={&(0x7f0000000000)='contention_begin\x00', r6}, 0x10)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
ioctl$FS_IOC_GETFSLABEL(r7, 0x800452d2, &(0x7f0000000100))

program did not crash
testing program (duration=15s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
single: successfully extracted reproducer
found reproducer with 4 syscalls
minimizing guilty program
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)

program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(0xffffffffffffffff, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\a'], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, 0x0, 0x0)

program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x5}}}}]}}]}}, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x0, 0x84)
syz_usb_control_io(r0, &(0x7f0000000200)={0x2c, &(0x7f0000000040)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=22.5s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
simplifying C reproducer
testing compiled C program (duration=22.5s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=22.5s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid-socket$inet6_sctp-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
reproducing took 29m54.948194681s
repro crashed as (corrupted=false):
mcp2221 0003:04D8:00DD.0001: unknown main item tag 0x0
mcp2221 0003:04D8:00DD.0001: unknown main item tag 0x0
mcp2221 0003:04D8:00DD.0001: USB HID v0.00 Device [HID 04d8:00dd] on usb-dummy_hcd.0-1/input0
Unable to handle kernel paging request at virtual address dfff800000000000
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 1533 Comm: kworker/0:2 Not tainted 5.15.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mcp_smbus_xfer+0x64/0xdb0 drivers/hid/hid-mcp2221.c:418
lr : mcp_smbus_xfer+0x44/0xdb0 drivers/hid/hid-mcp2221.c:414
sp : ffff800020fe5f40
x29: ffff800020fe5f40 x28: 0000000000000000 x27: dfff800000000000
x26: 1fffe000192dd036 x25: 0000000000000000 x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000018 x21: 0000000000000000
x20: 1ffff00002947e30 x19: 0000000000000000 x18: ffff800020fe5d20
x17: 0000000000000000 x16: ffff800011ab3128 x15: 000000000000c32f
x14: 000000003b0214a6 x13: dfff800000000000 x12: 0000f2f2f2f2f202
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000cc9f9b40
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000018 x0 : ffff0000c96e8088
Call trace:
 mcp_smbus_xfer+0x64/0xdb0 drivers/hid/hid-mcp2221.c:418
 __i2c_smbus_xfer+0x570/0x2b70 drivers/i2c/i2c-core-smbus.c:589
 i2c_smbus_xfer+0x210/0x31c drivers/i2c/i2c-core-smbus.c:544
 i2c_default_probe+0x1c0/0x248
 i2c_detect_address drivers/i2c/i2c-core-base.c:2408 [inline]
 i2c_detect drivers/i2c/i2c-core-base.c:2483 [inline]
 i2c_do_add_adapter+0x3c4/0x8d4 drivers/i2c/i2c-core-base.c:1372
 __process_new_adapter+0x28/0x3c drivers/i2c/i2c-core-base.c:1379
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 i2c_register_adapter+0xcc8/0xf8c drivers/i2c/i2c-core-base.c:1542
 i2c_add_adapter+0x170/0x250
 mcp2221_probe+0x240/0x56c drivers/hid/hid-mcp2221.c:882
 hid_device_probe+0x23c/0x338 drivers/hid/hid-core.c:2307
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 hid_add_device+0x318/0x4b4 drivers/hid/hid-core.c:2459
 usbhid_probe+0x868/0xba8 drivers/hid/usbhid/hid-core.c:1424
 usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 usb_new_device+0x900/0x145c drivers/usb/core/hub.c:2593
 hub_port_connect drivers/usb/core/hub.c:5455 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 port_event drivers/usb/core/hub.c:5741 [inline]
 hub_event+0x236c/0x46b8 drivers/usb/core/hub.c:5823
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: aa1303e0 96502d95 f9400273 d343fe7c (387b6b88) 
---[ end trace 32597d0e7474c8aa ]---
----------------
Code disassembly (best guess):
   0:	aa1303e0 	mov	x0, x19
   4:	96502d95 	bl	0xfffffffff940b658
   8:	f9400273 	ldr	x19, [x19]
   c:	d343fe7c 	lsr	x28, x19, #3
* 10:	387b6b88 	ldrb	w8, [x28, x27] <-- trapping instruction

final repro crashed as (corrupted=false):
mcp2221 0003:04D8:00DD.0001: unknown main item tag 0x0
mcp2221 0003:04D8:00DD.0001: unknown main item tag 0x0
mcp2221 0003:04D8:00DD.0001: USB HID v0.00 Device [HID 04d8:00dd] on usb-dummy_hcd.0-1/input0
Unable to handle kernel paging request at virtual address dfff800000000000
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 1533 Comm: kworker/0:2 Not tainted 5.15.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mcp_smbus_xfer+0x64/0xdb0 drivers/hid/hid-mcp2221.c:418
lr : mcp_smbus_xfer+0x44/0xdb0 drivers/hid/hid-mcp2221.c:414
sp : ffff800020fe5f40
x29: ffff800020fe5f40 x28: 0000000000000000 x27: dfff800000000000
x26: 1fffe000192dd036 x25: 0000000000000000 x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000018 x21: 0000000000000000
x20: 1ffff00002947e30 x19: 0000000000000000 x18: ffff800020fe5d20
x17: 0000000000000000 x16: ffff800011ab3128 x15: 000000000000c32f
x14: 000000003b0214a6 x13: dfff800000000000 x12: 0000f2f2f2f2f202
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000cc9f9b40
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000018 x0 : ffff0000c96e8088
Call trace:
 mcp_smbus_xfer+0x64/0xdb0 drivers/hid/hid-mcp2221.c:418
 __i2c_smbus_xfer+0x570/0x2b70 drivers/i2c/i2c-core-smbus.c:589
 i2c_smbus_xfer+0x210/0x31c drivers/i2c/i2c-core-smbus.c:544
 i2c_default_probe+0x1c0/0x248
 i2c_detect_address drivers/i2c/i2c-core-base.c:2408 [inline]
 i2c_detect drivers/i2c/i2c-core-base.c:2483 [inline]
 i2c_do_add_adapter+0x3c4/0x8d4 drivers/i2c/i2c-core-base.c:1372
 __process_new_adapter+0x28/0x3c drivers/i2c/i2c-core-base.c:1379
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 i2c_register_adapter+0xcc8/0xf8c drivers/i2c/i2c-core-base.c:1542
 i2c_add_adapter+0x170/0x250
 mcp2221_probe+0x240/0x56c drivers/hid/hid-mcp2221.c:882
 hid_device_probe+0x23c/0x338 drivers/hid/hid-core.c:2307
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 hid_add_device+0x318/0x4b4 drivers/hid/hid-core.c:2459
 usbhid_probe+0x868/0xba8 drivers/hid/usbhid/hid-core.c:1424
 usb_probe_interface+0x500/0x984 drivers/usb/core/driver.c:396
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 usb_set_configuration+0x15e0/0x1b60 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x148 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x194/0x3b4 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x28c/0x4d8 drivers/base/dd.c:907
 bus_for_each_drv+0x158/0x1e0 drivers/base/bus.c:427
 __device_attach+0x2f0/0x480 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c8 drivers/base/bus.c:487
 device_add+0xae0/0xef4 drivers/base/core.c:3412
 usb_new_device+0x900/0x145c drivers/usb/core/hub.c:2593
 hub_port_connect drivers/usb/core/hub.c:5455 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 port_event drivers/usb/core/hub.c:5741 [inline]
 hub_event+0x236c/0x46b8 drivers/usb/core/hub.c:5823
 process_one_work+0x790/0x11b8 kernel/workqueue.c:2310
 worker_thread+0x910/0x1034 kernel/workqueue.c:2457
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: aa1303e0 96502d95 f9400273 d343fe7c (387b6b88) 
---[ end trace 32597d0e7474c8aa ]---
----------------
Code disassembly (best guess):
   0:	aa1303e0 	mov	x0, x19
   4:	96502d95 	bl	0xfffffffff940b658
   8:	f9400273 	ldr	x19, [x19]
   c:	d343fe7c 	lsr	x28, x19, #3
* 10:	387b6b88 	ldrb	w8, [x28, x27] <-- trapping instruction