Extracting prog: 14m39.734049756s
Minimizing prog: 1h45m51.931307651s
Simplifying prog options: 0s
Extracting C: 2m35.76137175s
Simplifying C: 20m56.627543809s


extracting reproducer from 65 programs
testing a last program of every proc
single: executing 15 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT-ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT-openat$dsp-close_range-openat$cuse-read$FUSE-lstat-getsockopt$sock_cred-getsockopt$inet6_IPV6_IPSEC_POLICY-getsockopt$sock_cred-read$FUSE-statx-geteuid-read$FUSE-getresgid-read$FUSE-read$FUSE-syz_fuse_handle_req-openat$audio1-openat$cuse-ioctl$FUSE_DEV_IOC_BACKING_CLOSE-sendmsg$NFT_BATCH-ioctl$VFAT_IOCTL_READDIR_BOTH-setsockopt$inet_tcp_int-ioctl$XFS_IOC_COMMIT_RANGE-ioctl$TUNSETIFF-ioctl$sock_kcm_SIOCKCMATTACH-ioctl$BTRFS_IOC_SUBVOL_GETFLAGS-syz_genetlink_get_family_id$nl80211-sendmsg$NL80211_CMD_CONTROL_PORT_FRAME
detailed listing:
executing program 0:
ioctl$AUTOFS_DEV_IOCTL_CLOSEMOUNT(0xffffffffffffffff, 0xc0189375, &(0x7f0000000000)={{0x1, 0x1, 0x18, <r0=>0xffffffffffffffff}, './file0\x00'})
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT(r0, 0x404c534a, &(0x7f0000000040)={0x8, 0x10000, 0xe})
r1 = openat$dsp(0xffffffffffffff9c, &(0x7f00000000c0), 0x20000, 0x0)
close_range(r1, r0, 0x0)
r2 = openat$cuse(0xffffffffffffff9c, &(0x7f0000000100), 0x2, 0x0)
read$FUSE(r0, &(0x7f00000022c0)={0x2020, 0x0, 0x0, 0x0, 0x0, <r3=>0x0}, 0x2020)
lstat(&(0x7f0000004480)='./file0\x00', &(0x7f00000044c0)={0x0, 0x0, 0x0, 0x0, <r4=>0x0})
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000004540)={0x0, 0x0, <r5=>0x0}, &(0x7f0000004580)=0xc)
getsockopt$inet6_IPV6_IPSEC_POLICY(r0, 0x29, 0x22, &(0x7f0000004640)={{{@in=@broadcast, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r6=>0x0}}, {{@in6}, 0x0, @in=@local}}, &(0x7f0000004740)=0xe8)
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000004780)={0x0, 0x0, <r7=>0x0}, &(0x7f00000047c0)=0xc)
read$FUSE(r0, &(0x7f0000004940)={0x2020, 0x0, 0x0, <r8=>0x0}, 0x2020)
statx(r0, &(0x7f0000006980)='./file0\x00', 0x400, 0x7ff, &(0x7f00000069c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r9=>0x0})
r10 = geteuid()
read$FUSE(r0, &(0x7f0000006c40)={0x2020, 0x0, 0x0, <r11=>0x0}, 0x2020)
getresgid(&(0x7f0000008c80), &(0x7f0000008cc0)=<r12=>0x0, &(0x7f0000008d00))
read$FUSE(r0, &(0x7f0000008e40)={0x2020, 0x0, 0x0, <r13=>0x0}, 0x2020)
read$FUSE(r0, &(0x7f000000ae80)={0x2020, 0x0, 0x0, 0x0, <r14=>0x0}, 0x2020)
syz_fuse_handle_req(r2, &(0x7f0000000140)="9a24482ed3bf5c07eea9b8b63f2ab26843ebea129c1058e1e28e8b582b75b9cebab835292aaa4a333730d54b3b2f1ae46d2626920e98a609a140d96bfe979244d9fff36e61f771e2002c782a95af0633e32e8e673a172179719aa87f1e4f429491c5d5d1d7dd982289e7e0c010a1f40d95d972f4f10aadbfd00777cad2248deae81fd2f644f18ac6766cb3a83c70bb18f4d8e0403d82a7a8280c497bf8f23414bbe7eaaea766e4e1c871ee2f5a21a8774c2b2617b1540123c26e5304213f8e8806f8f09fca5d006c739c0953dc15496b5a02de7be11b0b76d898e9a2ab3a0164a875207b971705fbf831158ce3d13072e560d06dc517b555cf1dde7c3216fce416cedcfb01442f03d85ed488d133a1a8aac3bf20dfac21061881736d0bf124b8fc54db41e62e51eb70e668d088d4f3063ecdaf507c597aa0b2b0268caa27af922f9960984832c13d1146e622850c3915261d79090111d22c070201944e9053a903c823c17e14799891d0db33fea7189d141ac0b2c3d95e990022880406498ed110ccf05fe2d6e4cb37ae2e1aa0a2eaadc873f601fc82a31a81f977d2b42e01504b4d1dadbff1f97db8f5d07a9a90dd66f2ff7827b4d004dec674bef593c20c56945fb947e77ab2e018303f8517fd01b3fc232d741a933d9692222b25fb839b0ebb1ae42eaea74c57179c8506b532e92b205a0e579fd027d47817751d29a6963b7283c15bd5d66c86c55084e2bbe2d6d35ebcd54e56e7018a341a5d6215bd499fd3c57c4ef92fe4b0346d2fca4f28f9904ddf923deddce846e8800a89fca33a677dd98cf343f76b729e4712fec0ec9b924694fa2b1922000aec2b8864540bf1d4396e4c4cc95d19c1d5c0b841be01f99694eddabfd1d6f55b271d2906a8b775d3564944eb5d0d0c95c9d56dc334212efcf7375efef788e0850c11192cb233e6c4acbce157f96e64a346fa230c82ba62e47fd9b558c4e06b6a186175eecadc256f2cc8d14f044df28ec5a735ce9788cfa2300654ab52953983e78ffa12a9a4e8ead3ce1a7166a55ab30345ca6895b69b8fe79b5a21b05650746360187df9e946a4120a09b5bd84b2ef456646d03fd21de266999a72afd6f92ff51954a621496adccc4f5ca0ac575374273e6e3a775f28a3a2b1415e6904a5bd481d10da05508da2056d5a2a55f3d8e178fe0dee5b2c151fc74d47510af94d3a907dc44515bdd1b261228ffb704925d969c1b35998f5b39b97f98f2bf9ea633143492ec432e3b9f5eb6f2fc1ee23c166428fedb2db9cbeb4a00699c144d8aebf46ef6118eae4b35e9558d0a730b9c6f1ccf3349f38ec480de225c5e369cb9a6ca6488f729dd56465ada29b336c3e78fc3bf4947395e379398aec7b942962e6f2b04dac3c182659e06f206536823661713115aa9bb49452b05dcad017f409bfdcac7a177f969606e6dd04491a13aad4096933dbb20ed65039a38b31be86c2627964035cda934c29b2411fe182ed62b6125f349e6ba422fd6600f9c47633e9eee696526369bd126ee4be86dfef05b65bbd5ace23c50dee7cadfd14c5fafa7cc751f8ee1b3794f16887a389a91d28777f128b155f7f27ec90306e3671e6e371d35af3c623c917e19586611447885bdd9a989f72147dec2b7306d47ead1d9ed66aaae74c18ea5516043b8d2df9ddb9b04b4d0758ee22048676faf29084e9c931c3b21d545788ab2ac0827c2e728e40828c702d5f8a4d73966cf95287616d096299a01a65fb3d2a0bb7d083ced7d9a235f7afc81d10e05d46225118ce1e5dbe62bc6d834b425cce9b58fe6d3f21c98558ac06d7d0879a3af87b86bf935d0dfa7e15ec6adf22a68e34457c0274da360c7950272099d2f46263ee59b896cb331827e59ea15a4648108c0dd1351a6b2a1c8e9df12b61baf92058a2558019a89045552abf1e724b1daf53928fb806ca837fad6b0db83fbe5b09b1d3ce213efc58f422a6752bdfbb80c891c85d7fcbd71e3d36e5fa9962009b2940853738a272b18d019ae3b5af4d19ce79ce79742fa8021177b7e2a8f43b73176a36cb89d57f04d606ebdbcacb9e04dfd638d81c828cf433ef0a2c73d0aeef7e5ec6587b0b596b79a4b4cfb95b23bc302c8b576982495090cbc8db2f0817d6dae9bf58d61d901cb150f53e9f2935fbc411a4b8aae8754f1684548861b7eb7a4917a93a2433228a9520c5534f6642246f9e5e28285bc6c94b737b50e1ff52b889086dcf697e090398f26c0175ccd6eb1abb445d791ecc4d6a7a9917b34cf5fbdc623d6a9b06315f33db6a4a6c43e05190273f8059c933bb3a195e94f3f92559f3ff8d361aeac55145e126d011151952a7336315ee02c1eabbab3406a9ca4b60a3c5f8c85744420a072c1d7c4dfdcbbead972443be18917767e9bef4b1d9745b074a26cb8e392aa27fd9c8b0d0c42ccf657ff2d95532f2a77c561976f0294ac5f07007a70f8e686f650749fdf3979ac5d113e5276cc294b549133c5342ced90fe8a43360d5169fe726fb76af2848f26dedde254d85cffa49cdfc9dfc968d4b3a813b0b96482ed23f80da3771ddb84096a50a99256897c2620d2290f2b2d9b3b5bbdb97b0b08ac8d02ce51395b6dc3d7dc440d8f09e4157ab3990a2341f86ad33313d0d5c2b987c8bb027e71d62f6a9c4973561abaabcd0b7b8e0e1411af3dd1b4a0cadff13b7d72e3a4f06c974169fb38e397c8faaf520d1ca9609476ae4097bb5968c1cacba36da11a049d561f0125cedb0972ee2c26e5e98a41d48de08f6eb1650eca45d67a8d7cd92a9dc67fcf624ae9adadfd158bca950ebe681ef8f203681394e1318518ae6c922cb4556acaa1357b8cd8772e6aca6a64b01e260f432c305574b1ec9df7422b6e3f6f10290e7a789b61ea78f7d19b15edede1fa463bc09d723aaae2304d4d14fb8d767c834912b11ba142718d422052e8a07ab428ba8bef56b621431c2023b06c1f24a4ed596e4e247330133f9da589cf4c1439dcdb317668498af0d2f5e09fc2ece415e54817144d5f5b744a1e7931005b048d44e70f2db407086decc4765d77d3331a75d184db9a835d55ada8023a2b5a0e7c8c6ce29bcfb09e60db4f9b9c337977f1340cf2437f9f3063b7908a054abb7fd2157ebefbf2a1b32341422a23a03ee8a8cbe5a871356d0466e9023e3f12b279cd68c56e9233cd0f4c997a9028b76bbf79609e1c769e54f3c15d93b4692fd29750fa10c4dd9508125cbb5f1b4d2c3c84fdf2bb2e05a2a9b0a365b56db0b74d8a7ca77ebeff2b081ace1b920998a278eaee4d1332189cafdffe015ab5027692ec89112fa829c196123b68144880c7888fa42dd517ad2db92cfd7c6774b4e4214341927e57e8915a70918d2e1005412a4e98b903aa0f58bd21e7f08782b05992b65cfaa8f03ad506c3de516e1676d48768d0115e515fc7566d81da02f54876870e60a5b13d3295159e65f22aaad08b54a56c40543936995eca728655f324a666bb605c074006144561f9eb704b8c83bc91af3ca1b832521d5c5ef04cbda821b44097e69daa493c056e4fd45bf5d33f7f49bb37640e422a0cb7be9e968749994bd25dba085975df502fbf74bb34de6dbd38a6622fef9fe707e64e73a138a59f00ba657d617c93146cef871df32246db4513fa4c09b9a8acc8f53049e63718470a87d3e0407b55ad7de15506bfc7573f3ae85743b25513b6aa0d40a6228ead40e5ae8ee75a056d11df95bae4be82d2f453417c500cf6e35a7bd3787318340de3232494d479a12c39f3af52253d9c8e3dd01f39a61d5a1bdc1778512081b10f175f3b919aad3da815e89989b20db361679b3bfbba040f51b5c538ddf397b47a2c9f8e824771ca9170244fad7866e5c6119a8ca0b8632b9d657fb9ac1854a15bd78849e6864bdf7c495a7b492366aa258b64cec6696b6934dc995b0be7e686112d3dfbd61829ffce02c86d930e3a32cab3113d165aac5bc9151fb3e74ffec07f99dd9f5e25212bd241aa2b3780adc4d8d487a9865b25d2a1f028c3d8995c22350945127ccfbaabfd65bc158eaaea1eee73f683f8620cc709aaa14f4ef8cb18e729c69bd268089ffa1bc8f6c89fb16fbad9c5d3a14a056fb816c282fb60527f3a207edff8eb0f0c21fb7539ff1a8cb0e686de1161a816824ddc09f1a0acea3013112a5920694e372ba1fe52e07569028887a6f36966a25a5b5132e615e136c2a792aaecce6a11fc90bc2656b5fc13acf5946b384795e171235e920c30250b273f58d7f78749b89e0094294e1b1a2ecb85d340586b34d7ab96c2a6ec554c18bf20bc99c5748796ae0e5a7aff5d3682b71175d2aa3c2a4150992cdd3af3e8f15ed9317e71992daab2701e77199f579b8b543c2b8cdbffdd537defae091b743e55f69d251f9023f56f1ea75e68a8248f2f51b4530049d0ce0cd60a1d6ab4153223a83a56444e00bb72a669da50b40a2d9976a4627cfdf247a886f202176a69d856febb943b5102b6a87415065990ee92994a8f34792c02a4b7b8eae0a573d54194f7f11ea1f1a2137c3fbbbd6ef85074316f4df9719ce2ce61fdc5bf3ef902f416436e3625eab36c1f6c3ae6fddac47409b6fad4173cdb6105470c8faec9de30219028c9001cb1371dbb26fde4316dc189651f78019d94a3c47a281c8a7e9cdb2de2d50ee1f308628fb18f6c309e52ff7a16cbe8858f7886f853c38348f2f4fb0cd3b0f464e1adf4e2d0cd6c7aa36adec77063be1f39fc593817efd81321f408e762dc86021317df599cc86ae72c722e63d15b6beb88fb9d3a4ba8026a408eba904c9fa0291873c09c1f9e77b068ee47fce6b9777caefa5c8497b62db190b2daad235433b0921f2e29ea211d3998183eb13b86651a9676e558989ce8dee2ed00d7a29fa1a138e6ae921d65006f506de43018ee850713fe792d16d10afc57b3795b6b35d9dbe99572b88dc6bc77deba72bee01941d76ff01324263ebde26e2d43be3a35cacd024be782f0bc367eb9468f26a86e3a2aa8334374e9c518ae912badd4aa9f68a87aebdbcf66687afcffd79f53a599d868489552cde0e4657211c515970cb1a8a6ffa16517a48a2a394506a1f0a13ef93bfad32f284172d99cafae820e10485b3568e29a59cc413de33d40cf9ecaa334e136eab3662c43a4b02345314f107b10d0632fa99b94c6a76fa0d335cc062f39ec5369d469b8ecd96b996a4d212e653b00aa49bcdca30edfbd193c3e2ed94ee11fb07f629c09982a38bdd66e254e5095f53e8be5f40ff6f580f3721c628bf5afeb8206e384ac3adfb48482919c6a7f32c317df711f86f131cf06754cf00fcdb2d7de314df9aa8fde26e1b701716a845492da269897392c985ec0f0c68e3d6ebee6cfa6f3907dd161ba540aeb7717b7102bdccbaf8330a72400ff056d1d12a400f58b394dc98515a7740ff3ede2b1dbbfb32bb4a4cef8c7d2404695dedc91e0d8e57260a6bc143438e407853832196a4f15fd31e0ea4f3f670b0a6137e72d9859f8da0cb70471d8cbac80087eb263d99527e9997a74f58874430322bf480af900a058ea180d5f180f9a64abd0098d0a841b9a585ca52725578cc67821bd94ec7474fcf381c4bc7b21f1b1122390fb5f50f4278fd90f54747f46badc4a4f70ba3c2ef0dbc631ac1261461fbe0268f22c1eb86f52a3032313eb48a2dc8f8855e1ebe1cd745408d5a4a2d271d1227054437e44e6fc5b282ac7b9663f10683cf7dfaeeb19cf8f313421fb7b4bd1c8692ddf1ff7dd7e4900f58e40c218484af4659cce242a45f8c6644ba38bc47860c842fc8ffa9b0de1cb80419d763e82a2de0bf3b32fb34ed8db0da6ba406d8a4409125cadeb2169f3a7784aa2e23a86abd0a04384e74930a6dabf57ddf826a835e2768630c4d4a5cc1d6cfcc5bb742f5c244c4c41edcd4c575b696b0a961828c9cc09b3aff041ce01cc97795154a106ac714876467efeb9709e27f0b2073b588641f5e011ed67974d4e05ea6e5f4270b0ee34304087eeeae5f5430924a28bec1b5aba918aaf4eaa675af853721219457a18883c18722233bc5beffc7f84b2effdbded90e2863b7a40f717a561bc0eaff00bcf35532ec4599864b044f0774c9d35a69d9dd4ed770fc38f3829b2feed5844446ecdca91feb0f2e54bc542c554a9d4a563986fd603ab658fc7960aaa011168709605c45e2bd9079c5b5e787f2d40041d6250969d564be611f795f58b3134187177c1437d8224fa6188d9f506fd160dc397b07f61b2f8b3e781e368dd0d93b55896878bbbfe227f51330470d5bf62021e000bff6da2621b50234bab512be7055bbcd2992250f87a15f0c06d58d9d948b5db878c33b0dfa3cfdd8f0bbc68733fa3da4fd8ebea1e9bcf16c186ee57c12324b7d9683a21595feb8db75c37c54b242653bb41e39966a7b66307edd6cde94ef7131c57a2ca7ee8d371478935fce49d829a6205ef79bd4f0d7239a722de2230fb6b10298abe9d68fcd93f9bbb4386ecb660d9ccd5b93d317fa1a96fc2acffb146707d8629f4a1c415f9270de591d4223a875f8a3d4a57b43b346a787c7b2381bcb4145abb5a8701225414c4b78f858d0bfd013ba05cd58d1a43f311316d09ad465097b910ebdb35efffc9ac1d4f381a635055e4a9b7abcf2823256f3d457e5c0845168226c9dfedff92d08aaf5852401e11b32bb2bc7b4d18f6dd8c08db6ff017b86acdca8c449fe260a3b2a7ef75a9f909607ed57457ba5327bb8732649e55b62a1b04bd91a63c08cbec8d0b0db3e56f60f9b7257688a4b946885d64509f173dd9f3bb83a19b333f3fc45c8eed6a5a977d699b465c4b1d00d4334eb48e73269372bc4f7d76c6fb44e7d098e9939f10752baba80865a492abf5fdd217976ee19757fb791b70108829c323bb89182708397288efb86da0fdb41278bbc0c59f920fcb79d5b5a79b5ecbe09626772c7b2f50e217431f04e2fbc167548c1154c53c1a99c1eea2b01064b54406e20e99a14e0c142b39b7d1eec071b5328ef0c723ed7dfbc03bf8451d3b86be3ddf604ebdeef20e1974be0fc17c495e1b4fa7ef5c6fa26ea84071fe929d34befc58bd4cf3e177e90bd84fef76b618cc65aaafbded4931b988c231ce384f3c36908884c629e6fc4db5d702d001076f0d3cc23c7d1fd1e57b6067599791d8c7f4e1d9795b55eac41073261c7c1bb123ff9d2d26582610361ef99d4c16000aea9fdfffb727ce1700e35ba8298c029612167ebee0aac6b3c84e83d5d951c58010634235a762cb95355299df027217d6fb31a10a7962571e2b45ca2bba3746847f0b9baeb8a563122c71d1595f62f698d10587b904a95d669a710b91f1bc6ddfd500f30fdf98318b9ce466a7a7efe180065ea3d98f0e4af7ce899a552e59a5f4b9a8c31820c4e96e74cd75fd865009586ff126ba4a83d06aa30668c4df4510e3c05e22c2df3d6c585cb3aa589d577bace127d03dc5b6fa3a420f921cc42b1566b5e26872f9e7d84099979e2289ed9d507261a5cdde0312223c02dfdc90e2ce00aa3f97dc1a9ecd2de398a71313d4d4badfa580fab4e94b7d932ede3da2610c0e21d7a2350cac022f29968dcf11a3d0633296170254458d84412bf80939dfb81b520ea389cca4903614b1f5b95c62068ec6a8b0b6863689f96f391e1d70adb55706bf8e3fe7d3ccee9b84d11087f5445758b24a503d2bcc0694e8b14ec0266e4b80a19e715c93b9d292361913f7965f19d5d2d31a974e79c8d3885d7217b8681b432a1a3ce1a606847a577952b2df575a17325483edb066f929eea33ba511aed5490617add6b5b3315cba4977d9b230d24b24ea3417a47976f22ea25d08bdbc20e0f809dec76704f64e6d3959fea2eb971be871594a1dd5464c59c39677a719141ea031061c8be2143055878ddc525f076eb58f3fcb770e6f9c8be92911a6720969dc0e3e37a8dac356af072e2d192724ca878251f2f9e543d8a268cf9d49e31ca9c32e9bc87e3c79d206f2fae94ad727288ec0eff6dc7675a185295f40fe3ade83a8822a01ec214e09d25f2a999c6ee946a3dca4881df4030d85222d3698003ee728b201880b42dce9e080eadad2bc8051ff608f1c13578211261be265cd266f7d28088a8d62d3bf2b6d576ff43f9f634cf42483af48c431da4483238a0953d655a2e10d2940d2836b0b47f2ae9bba7fdac0cf2c57342c5da2584c4b34479205d34e24b9dc4920065b58d64a3cfa4dc28f94c198dd126ed38fe8b267b39497a53feef0922e237c5a13c25749e6810f7905455a8b99fcf6851a991a56c2fd461f6581786e7d27df6b1346e476708d4353313a09c3f531e31cc2f8cbcb49428fdd07330a7c49cb4a8edb76d4f2ad2aaa558e4f90fcaeeaa0788ca1d383dda75b8166b06aeb7eb40a5a1e48983d2415a91a7404a337135d59c47cd81ff18ba5aa80b0f8e8e9409a3d1d999b5443c106fb42c4fe3b0657059f93f8d1e9caba82ee1e8f05792d23bc596c3416df78546c4bed183dde8eb1075c42e8398ad81da9969622cb241c676c375fc6bb551b18ce60bc98a0031e38f547677c2c5a08290cd73b2169321bc00106be93cb6c43e1835167d8b668cbf85611f39eb8cafe02a51590fc99c1a34ee396d92af93b75371afebed78462de52852ca648b6fdfc6b8556487f2ce331415d2e433f6410f40903cf81344fc58002e6aec199b593fd342cbe344b4b18d13b0a28217a0c52ba6e34d99bb5788c448a1f1186e8af0d4c99b64eb905bf45bd8880fee0ce142fbfe62cbeba36f5f026528d2396e5f761a9e3961f12f67242eaefee10b06373f64d1ab2ca6508335aebd335de05c0025af18da4239515f399f384838f619afbccd31591ba06ad5ff57009aa21fae16d7610669f4adf959a67d07ad2555625376414747c82dd49ff7fbc2a6b6f34e4f8d88ba328fd47e54aa18b298bc23157fd0724eae58d392a81e85e3f178327e4afbdd20107f2de8fe140f62edc053d50f628cf3d92185285112d60fc1325711dbe1cb57e8ae14451b8919c2f351897b180b99c88160521093e494a656daac0ab8baf553bab19a2df6909a1d922fd0a2a600fd0e781ff4dc91cd3f5e399dda80a3c64065f05da198ab61aba78066925593ff8e3dd992f53fe604aefaa8f161989e86af2ad2c4c144bbf546d5e31e846edda7de23726f9504d0036381cc2fad3a92f4f4f8f9a8fd19812af94b72db4a98c94f4f82c3809a1d4a6f038de350c1c037e8faa7a611320c7183b643414043043899a9a260fa9bed448d17b3dd496c23e3528ffba1efd43d622d8c046678908c0493c99829e6bc2461050f890b91fcb0341c7b1b7d8f41c3ea3bf1c0a8883c74eb428024e5cf50b0c6e6ff1fd7b1efd76ebce3668c4383b2db93d84dd2372fc2c62c93583df3779e454d6da8176ac84b41b98d2a96f51368a4b5a195b7c2c3e8c17cf90d89d02e269482501f7eb268bb2f55e0285fd12ebd79ac022d98a63089145a1ab114db4b1aded947d3f94bcb1dc472c547923d1ae70e1918c3cc8c2557d9adc73f67cbd8064114f5753fd0371fc81c7a21ef56b449b65d1613244e474e00bd9ad746936454a246739b3c8b49d5889e18eae6ae10f612a5478c9dd15ca20332e65d7291b5a16b74e9de157aaea27b5337e304512a0311723b1594e84fa46348243a274840577210ebbf6247d490b2b3aca4db62371b5e003d58c202abab6d014dd5371dfa17c2423c8b62c837534b4c48e91892c9aa5644eead442d13424daf042b2fba1722a9d6567f04c5857e4f4ee6c5e81271cc485e0005653a7f481cb3073b836988bb872998920eea400ee39e9d098cb6b92c3aa3e43de0d288771ebb48ba49e5fa80cf4fbbc360efb70b6bdfb20260282166a3f79b3a2583c6e3285e3b47a8e44eadcca3bf6f9e7997dd12ce0081f002f9ce96db3188a40f72dd1fc52bf240e3324517f5bc50b0ffcfeb1540238b35e82b0fb64dedf302cfe0ddd416dbf27ddbeef6fac0a0f07dfe6afb29b35db92134d67196b249ccfd99e98b495976aa529956fa0774f307454223e29957411de22562c2826b5b5e9baddf9ee001356f247580828a628e21a883c3e29368a8f3e7692a6b9b79857dcba6cc6fecf5efa9e3b47f0d376ef7cbf7b151f795ddaaa61a03f7795036dabcf79452891219e710aba437d3d158e70b9662ebb36498cf84cbc52c72f778ea411a4b5f2c5063c382d9dd677f133ac3bcefcfaaf6340222d4fdcd98d513a89d8dfa8fb17e37fe37f0f6d8c767b410a0b3a4eecf079db688d13dbb4df3626d3877326161585a0bdc89521f298e51e7fab03a0ccba23200ee8bc46ea0abf1192354f6e089e3462ff2386680020ae8fd21e73fcdeca550995d6d3097c3fd1013846c7da25643a8f1f3c585fa3b17868c27899c34b9b1a8c47a650006e30d581e8818568d9024a0342e88b1477a0408f50698e9e582673df9ec1c1e356b9228d2ee2cf30526c6147ac51b859c0a95df84589bf87a4947c224d8f4fb0db7918072848bb44756b43fba17d2ee5b5b6a8a3cf53d04cb25043dbfbdc373e3c095d30fb0a90e410e59b4b16d06a2c5dcefb433044d0a519eaa78994cdc14a287bec302e808ea0212f8a5382d518e14f042ab6927a152800d01cd1ec31f0268a410c5b41506ed2436ebbba4f10c3ac577d41cfbff4661726f45f7f71569400b4c64313624db83c383ea5e7bba3870beee70fbacdd8444aeecf4c3f832526187e7a5028438476b05b015048be105527f458fa0d08222e514806912a972e4c77ec9d2f2b815cb990f11d977d3b7ba48334cfa03146e39172679a564c3bf6470dd563052f6e90867c9c2567e18eb6af80d2c6553c8c26b2b5d00507a7234e7505b0ea14728515535e10693a139ce2b8e5208be05737ac9ced829ef0c81d8faf7501dddd5e59a91eae3690606732fe238f3654bf76230582dd124a2c15da4546fcc3077693ab0d0f3d6c18aa06842309094b0be2cbbcee0b93bfaa8d550de4755868e407886261e36a50a201ab52e6fc4393b7568acc0ac68d9d79a838a29bdd167376e4c063d1a91c09ec0a9bb79ee46a78b609ef5f213ab2db9b8ec8050b70509930219993ad813f62d23f2fbe8282a28ef9bb6a237dd353a0d4ecc8c5d1ec19f72a8fdd847b584476dda75ef32c503f10c1ab9ed6850d865b144d9655e7b29e9df3d1426696419a00abfd556fb25e472e73e2e74de28d6546f12f0dc861b01bb0a3d78d7343f0e82a1a8416d37b9e18b72942d6fb2ee89ee92af571b9fcf32715f60dc8e8cd1575efcc9243b098941715525d3dc7e84766c4ba7fff2904d18a3868d1de58e235e5498391c86792af17a6110fcc1d5a84b3c1e83ae795c3e3e47253031b047822710ef3a62ed22cda3b0f0187d6ec32aea5ca948dfd878a15384cf0f841856ceee76328c4bf191cc82ad57eca25154476b2f6b1759f5978d91ce664f6287fddd16be255ff019d2dfccf54b3e6b413b8d5921f7fa41b61aeb91ce38b450cca825016b25c9f2bd9898e338738ea4fc1fa928f48c65d18b5873d050553e51dec8eb135c4f0fc0939ecf3a1759dbeaf1aaad13", 0x2000, &(0x7f000000d000)={&(0x7f0000002140)={0x50, 0x0, 0x3ff, {0x7, 0x2d, 0x2, 0x4002084, 0x0, 0xfff8, 0x0, 0x7f, 0x0, 0x0, 0x10, 0x2}}, &(0x7f00000021c0)={0x18, 0x0, 0x0, {0x5}}, &(0x7f0000002200)={0x18, 0xfffffffffffffff5, 0x3, {0xa}}, &(0x7f0000002240)={0x18, 0x0, 0x7}, &(0x7f0000002280)={0x18, 0xfffffffffffffffe, 0xfffffffffffffffa, {0x9}}, &(0x7f0000004300)={0x28, 0x0, 0x1, {{0x2, 0xfffffffffffffffe, 0x1, r3}}}, &(0x7f0000004340)={0x60, 0xfffffffffffffffe, 0x400, {{0x200, 0x10001, 0x81, 0x5, 0x8e1, 0x3, 0x40, 0x47}}}, &(0x7f00000043c0)={0x18, 0x0, 0x5, {0x6}}, &(0x7f0000004400)={0x19, 0xfffffffffffffff5, 0x1ff, {'^*-/K/\\\xbe\x00'}}, &(0x7f0000004440)={0x20, 0xfffffffffffffffe, 0x8000000000000001, {0x0, 0x1a}}, &(0x7f00000045c0)={0x78, 0x0, 0x200, {0x6023, 0x8, 0x0, {0x2, 0x6, 0x4, 0xff, 0xaa, 0xffffffffffffffff, 0x80000001, 0x9, 0x2, 0x6000, 0x0, r4, r5, 0x200, 0x5}}}, &(0x7f0000004800)={0x90, 0xfffffffffffffffe, 0x8, {0x5, 0x1, 0x8, 0xfffffffffffffffd, 0x2, 0x4, {0x2, 0x2, 0x57f, 0xb, 0x6, 0x5, 0x9, 0x8000, 0xffffffff, 0x8000, 0x1, r6, r7, 0x7fffffff, 0xb9}}}, &(0x7f00000048c0)={0x58, 0x0, 0xfffffffffffffff6, [{0x3, 0x6, 0x1, 0x2, '\x00'}, {0x3, 0x7800000, 0x9, 0x10000, '/dev/dsp\x00'}]}, &(0x7f0000006ac0)={0x148, 0x0, 0x2, [{{0x2, 0x0, 0x5, 0xc77, 0xfff, 0x9, {0x2, 0xff8, 0x10001, 0x6, 0x9, 0x86, 0xc8, 0xc, 0x2, 0xc000, 0x3, r8, r9, 0x4, 0x5}}, {0x2, 0x5, 0x0, 0x7fffffff}}, {{0x5, 0x2, 0x9, 0x69, 0x1, 0xdb1cd2c, {0x2, 0x1, 0x101, 0x3, 0xb, 0x5, 0x4, 0x10001, 0xf641, 0xa000, 0x3, r10, 0xffffffffffffffff, 0x568, 0x6}}, {0x3, 0x45, 0x7, 0x101, '\\/#:,,$'}}]}, &(0x7f0000008d40)={0xa0, 0x0, 0x2, {{0x3, 0x2, 0x5, 0x401, 0x1, 0x1000, {0x3, 0xa9ec, 0x0, 0x95, 0x8, 0x4, 0x8, 0x0, 0x0, 0xc000, 0x2, r11, r12, 0x5, 0x1}}, {0x0, 0x4}}}, &(0x7f0000008e00)={0x20, 0x2f, 0x7, {0x9, 0x0, 0x4, 0x7}}, &(0x7f000000cec0)={0x130, 0xfffffffffffffff5, 0x7, {0x6, 0x5, 0x0, '\x00', {0x100, 0x1000, 0x39e, 0x1cb, r13, r14, 0x8000, '\x00', 0x844, 0x1, 0xc, 0xffff, {0x6, 0x806a}, {0x6, 0x40}, {0x2, 0xed3a}, {0x0, 0x3}, 0x6, 0x8, 0x7, 0x4}}}})
r15 = openat$audio1(0xffffffffffffff9c, &(0x7f000000d0c0), 0x2000, 0x0)
r16 = openat$cuse(0xffffffffffffff9c, &(0x7f000000d100), 0x2, 0x0)
ioctl$FUSE_DEV_IOC_BACKING_CLOSE(r16, 0x4004e502, &(0x7f000000d140)=0x800)
sendmsg$NFT_BATCH(r0, &(0x7f000000d300)={&(0x7f000000d180)={0x10, 0x0, 0x0, 0x20}, 0xc, &(0x7f000000d2c0)={&(0x7f000000d1c0)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x5}}, [@NFT_MSG_DELRULE={0x80, 0x8, 0xa, 0x801, 0x0, 0x0, {0xa, 0x0, 0x2}, [@NFTA_RULE_ID={0x8, 0x9, 0x1, 0x0, 0x3}, @NFTA_RULE_ID={0x8, 0x9, 0x1, 0x0, 0x2}, @NFTA_RULE_USERDATA={0x59, 0x7, 0x1, 0x0, "ce20dddea3df59bc03a707ae9acfb70a5b347c5e453af70a1c9471cd670463e5f4792b5805402360bb8a5636813ecfdc86c2afc43cce0e3888307b9e7b894aa8c31da61bdc10e7032455c035a85af13b5a21f76e19"}]}, @NFT_MSG_DELRULE={0x28, 0x8, 0xa, 0x3, 0x0, 0x0, {0x7, 0x0, 0x3}, [@NFTA_RULE_POSITION_ID={0x8}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz1\x00'}]}], {0x14}}, 0xd0}, 0x1, 0x0, 0x0, 0x20000040}, 0x4000040)
ioctl$VFAT_IOCTL_READDIR_BOTH(r2, 0x82307201, &(0x7f000000d340)=[{0x0, 0x0, 0x100}, {0x0, 0x0, 0x100}])
setsockopt$inet_tcp_int(r0, 0x6, 0x6, &(0x7f000000d580)=0xfffff679, 0x4)
ioctl$XFS_IOC_COMMIT_RANGE(r15, 0x40585883, &(0x7f000000d5c0)={r15, 0x0, 0x81, 0x7, 0x1, 0x2, [0xff, 0x8000000000000001, 0x5, 0x3, 0x221, 0x1]})
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f000000d640)={'pimreg\x00', 0x2})
ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x89e0, &(0x7f000000d680)={r0, r0})
ioctl$BTRFS_IOC_SUBVOL_GETFLAGS(r0, 0x80089419, &(0x7f000000d6c0))
r17 = syz_genetlink_get_family_id$nl80211(&(0x7f000000d740), r0)
sendmsg$NL80211_CMD_CONTROL_PORT_FRAME(r0, &(0x7f000000d800)={&(0x7f000000d700)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f000000d7c0)={&(0x7f000000d780)={0x34, r17, 0x20, 0x70bd2d, 0x25dfdbfd, {{}, {@void, @val={0xc, 0x99, {0x6, 0x74}}}}, [@NL80211_ATTR_CONTROL_PORT_ETHERTYPE={0x6, 0x66, 0x888e}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}]}, 0x34}, 0x1, 0x0, 0x0, 0x8810}, 0x8090)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-prctl$PR_SCHED_CORE-sched_setattr-openat$tun-ioctl$TUNSETIFF-socket$nl_route-socket$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route_sched-socket$unix-socket$kcm-openat$tun-close-socket-socket$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route_sched-ioctl$SIOCSIFHWADDR-ioctl$sock_SIOCGIFINDEX-setsockopt$sock_attach_bpf-sendmsg$kcm-openat$iommufd-ioctl$IOMMU_IOAS_MAP$PAGES-getpeername$tipc-open-openat
detailed listing:
executing program 0:
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000200)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
connect$unix(r0, &(0x7f00000003c0)=@abs={0x0, 0x0, 0x4e21}, 0x6e)
sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sched_setattr(0x0, &(0x7f0000000280)={0x38, 0x5, 0x8, 0x8001, 0x0, 0x4, 0x0, 0x806, 0x5, 0xffffffff}, 0x0)
r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
r3 = socket$nl_route(0x10, 0x3, 0x0)
r4 = socket$unix(0x1, 0x1, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r5=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f0000000740)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000840)=@newqdisc={0x34, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r5, {0x0, 0xfff1}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_cake={{0x9}, {0x4}}]}, 0x34}, 0x1, 0x0, 0x0, 0x4000000}, 0x20040084)
r6 = socket$unix(0x1, 0x1, 0x0)
r7 = socket$kcm(0x11, 0x3, 0x0)
r8 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r8)
r9 = socket(0x400000000010, 0x3, 0x0)
r10 = socket$unix(0x1, 0x1, 0x0)
ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r11=>0x0})
sendmsg$nl_route_sched(r9, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000022c0)=@newtfilter={0x90, 0x2c, 0xd3f, 0x30bd2d, 0x25dfdbfd, {0x0, 0x0, 0x0, r11, {0xb, 0xfff3}, {}, {0x8, 0x300}}, [@filter_kind_options=@f_matchall={{0xd}, {0x5c, 0x2, [@TCA_MATCHALL_ACT={0x58, 0x2, [@m_simple={0x54, 0x1, 0x0, 0x0, {{0xb}, {0x28, 0x2, 0x0, 0x1, [@TCA_DEF_PARMS={0x18, 0x2, {0x40, 0x9, 0x2000e4ff, 0xb, 0x7}}, @TCA_DEF_DATA={0xa, 0x3, 'basic\x00'}]}, {0x4}, {0xc, 0x7, {0x1, 0x1}}, {0xc, 0x8, {0x1, 0x3}}}}]}]}}]}, 0x90}, 0x1, 0x0, 0x0, 0x10}, 0x0)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast})
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r12=>0x0})
setsockopt$sock_attach_bpf(r7, 0x107, 0xf, &(0x7f0000000600), 0x56)
sendmsg$kcm(r7, &(0x7f0000000000)={&(0x7f0000000380)=@xdp={0x2c, 0x0, r12, 0x3e}, 0x80, &(0x7f00000001c0)=[{&(0x7f0000000180)="27030200080314000e00002fb96dffff1144ee163cddcb000000800000827600000000000000", 0x26}, {&(0x7f0000000780)="f058050000007f8f", 0x4000}], 0x2}, 0x5)
r13 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$IOMMU_IOAS_MAP$PAGES(r13, 0x3b85, &(0x7f0000000040)={0x28, 0x1, 0x0, 0x0, &(0x7f0000800000/0x800000)=nil, 0x800000, 0xfffffffffffffffc})
getpeername$tipc(0xffffffffffffffff, &(0x7f0000000080)=@name, &(0x7f0000000180)=0x10)
open(&(0x7f0000000040)='.\x00', 0x0, 0x6c)
openat(0xffffffffffffff9c, &(0x7f0000000440)='./file1\x00', 0x103a42, 0x32)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD-io_setup-openat$sndtimer-socket$nl_route-sendmsg$nl_route-io_submit-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
r5 = socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r6 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r7 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r8 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r9=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r9, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r10=>0x0})
sendmsg$nl_route(r8, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r10, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r11 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r11, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r10}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r12=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r7, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r11, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r12, r6, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)
io_setup(0x1, &(0x7f0000000180))
r13 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000080), 0x0)
r14 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r14, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=@dellinkprop={0x20, 0x6d, 0x1}, 0x20}}, 0x0)
io_submit(0x0, 0x1, &(0x7f0000000280)=[&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x5, 0x7, r13, 0x0, 0x0, 0x9, 0x0, 0x1}])
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r15=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r15, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r16=>0x0})
sendmsg$nl_route(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=ANY=[@ANYBLOB="440000001000010030000000ffdbdf2500000000", @ANYRES32=r16, @ANYBLOB="0000000000100000240012800b0001006d616373656300001400028005000f"], 0x44}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
single: successfully extracted reproducer
found reproducer with 30 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD-io_setup-openat$sndtimer-socket$nl_route-sendmsg$nl_route-io_submit-socketpair$unix-ioctl$sock_SIOCGIFINDEX
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r5 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r7 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r9, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r10 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r10, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r9}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r11=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r6, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r10, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r11, r5, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)
io_setup(0x1, &(0x7f0000000180))
r12 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000080), 0x0)
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r13, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=@dellinkprop={0x20, 0x6d, 0x1}, 0x20}}, 0x0)
io_submit(0x0, 0x1, &(0x7f0000000280)=[&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x5, 0x7, r12, 0x0, 0x0, 0x9, 0x0, 0x1}])
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r14=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r14, 0x8933, &(0x7f0000000000)={'macsec0\x00'})

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD-io_setup-openat$sndtimer-socket$nl_route-sendmsg$nl_route-io_submit-socketpair$unix
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r5 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r7 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r9, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r10 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r10, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r9}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r11=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r6, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r10, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r11, r5, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)
io_setup(0x1, &(0x7f0000000180))
r12 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000080), 0x0)
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r13, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=@dellinkprop={0x20, 0x6d, 0x1}, 0x20}}, 0x0)
io_submit(0x0, 0x1, &(0x7f0000000280)=[&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x5, 0x7, r12, 0x0, 0x0, 0x9, 0x0, 0x1}])
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080))

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD-io_setup-openat$sndtimer-socket$nl_route-sendmsg$nl_route-io_submit
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r5 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r7 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r9, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r10 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r10, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r9}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r11=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r6, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r10, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r11, r5, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)
io_setup(0x1, &(0x7f0000000180))
r12 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000080), 0x0)
r13 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r13, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=@dellinkprop={0x20, 0x6d, 0x1}, 0x20}}, 0x0)
io_submit(0x0, 0x1, &(0x7f0000000280)=[&(0x7f00000000c0)={0x0, 0x0, 0x0, 0x5, 0x7, r12, 0x0, 0x0, 0x9, 0x0, 0x1}])

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD-io_setup-openat$sndtimer-socket$nl_route-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r5 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r7 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r9, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r10 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r10, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r9}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r11=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r6, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r10, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r11, r5, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)
io_setup(0x1, &(0x7f0000000180))
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000080), 0x0)
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r12, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000040)=@dellinkprop={0x20, 0x6d, 0x1}, 0x20}}, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD-io_setup-openat$sndtimer-socket$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r5 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r7 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r9, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r10 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r10, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r9}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r11=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r6, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r10, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r11, r5, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)
io_setup(0x1, &(0x7f0000000180))
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000080), 0x0)
socket$nl_route(0x10, 0x3, 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD-io_setup-openat$sndtimer
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r5 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r7 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r9, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r10 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r10, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r9}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r11=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r6, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r10, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r11, r5, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)
io_setup(0x1, &(0x7f0000000180))
openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000080), 0x0)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD-io_setup
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r5 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r7 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r9, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r10 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r10, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r9}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r11=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r6, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r10, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r11, r5, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)
io_setup(0x1, &(0x7f0000000180))

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID-bpf$PROG_LOAD
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
r5 = bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
r6 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r7 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r8=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r9=>0x0})
sendmsg$nl_route(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r9, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r10 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r10, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r9}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff, <r11=>0x0}, 0x8)
bpf$PROG_LOAD(0x5, &(0x7f0000000ac0)={0x11, 0x10, &(0x7f0000000d40)=ANY=[@ANYBLOB="1800000002000000000000000200000018110000", @ANYRES32=r6, @ANYBLOB="0000000000000000b702000014000000b7030000000000008520000083000000bf090000000000005509010000000000950000000000000092240c0008000000bf91000600000000b702000000000094305a40a2008500000085000000b700000000000000950000484116c2d5bf3fef50790ceef577a9832b5c6ca936b2f7ab7a0e04ad1df9695b0dde96b2361e76"], &(0x7f0000000880)='syzkaller\x00', 0x1, 0x6c, &(0x7f00000008c0)=""/108, 0x41000, 0x2d, '\x00', 0x0, @fallback=0x1f, r10, 0x8, &(0x7f0000000940)={0x1, 0x3}, 0x8, 0x10, &(0x7f0000000980)={0x3, 0x2, 0xc, 0x5}, 0x10, r11, r5, 0x5, &(0x7f0000000a00)=[r2, r2], &(0x7f0000000a40)=[{0x5, 0x4, 0x0, 0x6}, {0x0, 0x4, 0xe, 0x1}, {0x5, 0x1, 0xa, 0x2}, {0x3, 0x5, 0x1}, {0x4, 0x2, 0x7}], 0x10, 0x2}, 0x94)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn-bpf$BPF_BTF_GET_NEXT_ID
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r5 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r6=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r7=>0x0})
sendmsg$nl_route(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r7, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r8 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r8, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r7}, 0xc)
bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f00000009c0)={0x3ff}, 0x8)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree-setsockopt$inet_mreqn
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r5 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r6=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r7=>0x0})
sendmsg$nl_route(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r7, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
r8 = open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)
setsockopt$inet_mreqn(r8, 0x0, 0x24, &(0x7f0000000000)={@rand_addr=0x64010100, @loopback, r7}, 0xc)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route-open_tree
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r5 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r6=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r7=>0x0})
sendmsg$nl_route(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r7, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)
open_tree(0xffffffffffffff9c, &(0x7f0000000780)='./file0\x00', 0x89901)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r5 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r6=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'macsec0\x00', <r7=>0x0})
sendmsg$nl_route(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32=r7, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-ioctl$sock_SIOCGIFINDEX
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r5=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000000)={'macsec0\x00'})

program crashed: lost connection to test machine
suppressed program crash: lost connection to test machine
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-socketpair$unix-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r5 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080))
sendmsg$nl_route(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-socket$netlink-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
r5 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route(r5, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-bpf$MAP_CREATE_RINGBUF-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000b80)={0x1b, 0x0, 0x0, 0x9, 0x0, r2, 0x8, '\x00', 0x0, 0xffffffffffffffff, 0x1, 0x1, 0x3}, 0x50)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-bpf$PROG_LOAD-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0x1, 0x4, &(0x7f0000000c00)=ANY=[@ANYBLOB="b707000700dc7021203d6b773daa26b04e49af1fb8c23690511fb8f479f2628cdb97f0251b4fda395132cc39f1b095e21b11e91ecad359bc99e205a40f6c6afde0f8f2f153fb799a88c93a45b0f4c3db8291ba89c2e449eb5256efd053ca9d00"/108], &(0x7f0000003ff6)='GPL\x00', 0x4, 0xb579, &(0x7f000000cf3d)=""/195}, 0x23)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-capset-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
capset(&(0x7f0000000080)={0x20071026}, &(0x7f0000000040))
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-socket$netlink-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-syz_usb_control_io$cdc_ecm-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
r0 = syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r2 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r4, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r1, 0x540a, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000500)={0x1c, &(0x7f0000000380)={0x20, 0xf, 0x1, '\x00'}, 0x0, 0x0})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r0 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r1 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r1, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r3, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
ioctl$TCXONC(r0, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-bpf$BPF_PROG_TEST_RUN-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
r2 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r0, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000540)={r2, 0x18000000000002a0, 0xe, 0x0, &(0x7f00000002c0)="d2ff0600600100004199dec6aa4a", 0x0, 0x40d5b1, 0x60000000, 0x0, 0x0, 0x0, 0x0}, 0x4c)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-bpf$BPF_PROG_RAW_TRACEPOINT_LOAD-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r0 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
r1 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r2, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000400)={0x1, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff000000009408000000001700638af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r1, @ANYBLOB="0000000000000000b703000008000000850000006900000095"], &(0x7f0000005d80)='syzkaller\x00', 0xc}, 0x94)
ioctl$TCXONC(r0, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-setsockopt$IP6T_SO_SET_REPLACE-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r0 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
r1 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r1, 0x29, 0x40, &(0x7f0000000000)=@mangle={'mangle\x00', 0x2, 0x6, 0x6f8, 0x370, 0x288, 0x160, 0x160, 0x0, 0x788, 0x788, 0x788, 0x788, 0x788, 0x6, 0x0, {[{{@ipv6={@empty, @private1, [], [0x0, 0x0, 0x0, 0xff000000], 'pimreg0\x00', 'macvtap0\x00', {}, {}, 0x21, 0x0, 0x5}, 0x0, 0x138, 0x160, 0x0, {0x7a00000010000000}, [@common=@hl={{0x28}, {0x3, 0x4}}, @common=@inet=@iprange={{0x68}, {@ipv6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @ipv6=@ipv4={'\x00', '\xff\xff', @broadcast}, @ipv6=@private2={0xfc, 0x2, '\x00', 0x1}, @ipv6=@rand_addr=' \x01\x00', 0x22}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xf0, 0x128, 0x0, {}, [@common=@hbh={{0x48}, {0x1, 0x1, 0x0, [0x4, 0x8, 0x2, 0x0, 0x1, 0xe000, 0x6, 0x7, 0x8, 0x0, 0x7d, 0x2, 0x8, 0x8, 0xfff8, 0x3ff], 0x10}}]}, @common=@inet=@SET3={0x38, 'SET\x00', 0x3, {{0xffffffffffffffff}, {0x0, 0x20}, {0x0, 0x0, 0x4}}}}, {{@ipv6={@ipv4, @initdev={0xfe, 0x88, '\x00', 0x4, 0x0}, [0x0, 0x0, 0x0, 0xff], [0x0, 0x0, 0xff000000], '\x00', 'bond_slave_0\x00', {}, {}, 0x0, 0x0, 0x2}, 0x0, 0xa8, 0xe8, 0x48000000}, @common=@inet=@TCPOPTSTRIP={0x40, 'TCPOPTSTRIP\x00', 0x0, {[0x0, 0x6, 0x3, 0x5, 0x2, 0x8000, 0xc, 0xffffffff]}}}, {{@uncond, 0x0, 0xa8, 0x1d0}, @common=@unspec=@SECMARK={0x128, 'SECMARK\x00', 0x0, {0x1, 0xcb, 'system_u:object_r:kmsg_device_t:s0\x00'}}}, {{@uncond, 0x0, 0xa8, 0xe8}, @inet=@TPROXY1={0x40, 'TPROXY\x00', 0x1, {0x1, 0x8, @ipv6=@remote, 0x4e22}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x758)
ioctl$TCXONC(r0, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-socket$inet6_udp-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r0 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$TCXONC(r0, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r0 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
ioctl$TCXONC(r0, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-openat$ttyprintk-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
r0 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
ioctl$TCXONC(r0, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: lost connection to test machine
suppressed program crash: lost connection to test machine
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x282, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB], 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="400000001000010010000000ffdbdf2500000000", @ANYRES32, @ANYBLOB="dc02000011000400140012800b0001006d61637365630000040002800a0001000000000000000000132329cfa1f9ef7b2f5cf9cd95f31226c42414a68da2a836fea850c705ccaa3a315f326e46e8fe404893e85073277fbfad200fa6cebcb725f5c98a1dd11e178b0cbf46d1c62e64695ca456adfd66a9c0f02a99bbfefef140ddd0e183ee62a74f8edd85f3690ebb18454646807b46318c4c56554862a6493adca7d7c3b55d703bceaed01957841d80fe9420f8d2f0bce312f17b5fdab33eb1dcf3eada7aa9b3a55d0766d8c166aef1137c06787226e47686d6d2d2a39884da7a76"], 0x40}}, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:namespace SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-bpf$MAP_CREATE_CONST_STR-ioctl$TCXONC-sendmsg$nl_route
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, 0x0, 0x48)
ioctl$TCXONC(0xffffffffffffffff, 0x540a, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x800)

program crashed: KASAN: slab-use-after-free Read in v4l2_fh_open
validation run: crashed=true
reproducing took 2h28m12.950920346s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff88807ca60790 by task v4l_id/6112

CPU: 1 UID: 0 PID: 6112 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
 em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
 v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411
 do_dentry_open+0x785/0x14e0 fs/open.c:949
 vfs_open+0x3b/0x340 fs/open.c:1081
 do_open fs/namei.c:4671 [inline]
 path_openat+0x2e08/0x3860 fs/namei.c:4830
 do_file_open+0x23e/0x4a0 fs/namei.c:4859
 do_sys_openat2+0x113/0x200 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd7fea7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffcd37ed2a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fcd80580880 RCX: 00007fcd7fea7407
RDX: 0000000000000000 RSI: 00007ffcd37edf1c RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffcd37ed4f0 R14: 00007fcd80685000 R15: 000055800f5b24d8
 </TASK>

Allocated by task 6083:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5380
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6083:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88807ca60000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1936 bytes inside of
 freed 8192-byte region [ffff88807ca60000, ffff88807ca62000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ca60
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fea6280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fea6280 dead000000000100 dead000000000122
head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f29801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5825, tgid 5825 (syz-executor), ts 78441991614, free_ts 78358246727
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __kmalloc_cache_noprof+0x392/0x660 mm/slub.c:5375
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 cgroup1_root_to_use kernel/cgroup/cgroup-v1.c:1240 [inline]
 cgroup1_get_tree+0x4fa/0x8a0 kernel/cgroup/cgroup-v1.c:1267
 vfs_get_tree+0x92/0x2a0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3763 [inline]
 do_new_mount+0x341/0xd30 fs/namespace.c:3839
 do_mount fs/namespace.c:4172 [inline]
 __do_sys_mount fs/namespace.c:4361 [inline]
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4338
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5825 tgid 5825 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5573
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4538 [inline]
 slab_alloc_node mm/slub.c:4866 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_node_track_caller_noprof+0x493/0x7b0 mm/slub.c:5368
 memdup_user+0x2b/0xd0 mm/util.c:221
 strndup_user+0x68/0xd0 mm/util.c:280
 copy_mount_string fs/namespace.c:4067 [inline]
 __do_sys_mount fs/namespace.c:4346 [inline]
 __se_sys_mount+0x9d/0x420 fs/namespace.c:4338
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88807ca60680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807ca60700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807ca60780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88807ca60800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807ca60880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff88807ca60790 by task v4l_id/6112

CPU: 1 UID: 0 PID: 6112 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
 v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
 em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
 v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411
 do_dentry_open+0x785/0x14e0 fs/open.c:949
 vfs_open+0x3b/0x340 fs/open.c:1081
 do_open fs/namei.c:4671 [inline]
 path_openat+0x2e08/0x3860 fs/namei.c:4830
 do_file_open+0x23e/0x4a0 fs/namei.c:4859
 do_sys_openat2+0x113/0x200 fs/open.c:1366
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_openat fs/open.c:1388 [inline]
 __se_sys_openat fs/open.c:1383 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1383
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd7fea7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffcd37ed2a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fcd80580880 RCX: 00007fcd7fea7407
RDX: 0000000000000000 RSI: 00007ffcd37edf1c RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffcd37ed4f0 R14: 00007fcd80685000 R15: 000055800f5b24d8
 </TASK>

Allocated by task 6083:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5380
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6083:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88807ca60000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1936 bytes inside of
 freed 8192-byte region [ffff88807ca60000, ffff88807ca62000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ca60
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fea6280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fea6280 dead000000000100 dead000000000122
head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f29801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5825, tgid 5825 (syz-executor), ts 78441991614, free_ts 78358246727
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __kmalloc_cache_noprof+0x392/0x660 mm/slub.c:5375
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 cgroup1_root_to_use kernel/cgroup/cgroup-v1.c:1240 [inline]
 cgroup1_get_tree+0x4fa/0x8a0 kernel/cgroup/cgroup-v1.c:1267
 vfs_get_tree+0x92/0x2a0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3763 [inline]
 do_new_mount+0x341/0xd30 fs/namespace.c:3839
 do_mount fs/namespace.c:4172 [inline]
 __do_sys_mount fs/namespace.c:4361 [inline]
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4338
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5825 tgid 5825 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5573
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4538 [inline]
 slab_alloc_node mm/slub.c:4866 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_node_track_caller_noprof+0x493/0x7b0 mm/slub.c:5368
 memdup_user+0x2b/0xd0 mm/util.c:221
 strndup_user+0x68/0xd0 mm/util.c:280
 copy_mount_string fs/namespace.c:4067 [inline]
 __do_sys_mount fs/namespace.c:4346 [inline]
 __se_sys_mount+0x9d/0x420 fs/namespace.c:4338
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88807ca60680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807ca60700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807ca60780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88807ca60800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807ca60880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================