Extracting prog: 19m41.344124389s
Minimizing prog: 1h16m39.397879452s
Simplifying prog options: 0s
Extracting C: 1m58.714915269s
Simplifying C: 14m36.248758663s


extracting reproducer from 24 programs
testing a last program of every proc
single: executing 4 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ptmx-socket$nl_audit-socket$inet6_sctp-socket$inet6_sctp-shutdown-close-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-setsockopt-ioctl$sock_SIOCETHTOOL-ioctl$TIOCSETD-ioctl$TCFLSH-ioctl$TIOCSTI-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-socket$inet6-bind$inet6-connect$inet6-socket$netlink-writev-mbind-ioctl$BTRFS_IOC_WAIT_SYNC-socket$nl_generic-mbind
detailed listing:
executing program 0:
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r1 = socket$nl_audit(0x10, 0x3, 0x9)
r2 = socket$inet6_sctp(0xa, 0x1, 0x84)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
shutdown(r3, 0x0)
close(0x3)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r3, 0x84, 0x6f, &(0x7f0000000180)={<r4=>0x0, 0x1c, &(0x7f0000000100)=[@in6={0xa, 0x4e21, 0xfffe, @ipv4={'\x00', '\xff\xff', @rand_addr=0x64010104}, 0x3}]}, &(0x7f0000000140)=0x10)
getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r3, 0x84, 0x7a, &(0x7f0000000340)={r4, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84)
setsockopt(r2, 0x84, 0x81, &(0x7f0000000280)="1a00000002000000", 0x8)
ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f00000000c0)={'batadv_slave_1\x00', &(0x7f0000000000)=@ethtool_gstrings={0x1b, 0x1}})
ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000080)=0xf)
ioctl$TCFLSH(r0, 0x400455c8, 0x9)
ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000000)=0x1)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19)
r5 = userfaultfd(0x80801)
ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x749})
ioctl$UFFDIO_REGISTER(r5, 0xc020aa00, &(0x7f0000000080)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
r6 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_UMEM_REG(r6, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/65, 0x328000, 0x800}, 0x20)
r7 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r7, &(0x7f0000000040)={0xa, 0xe22}, 0x1c)
connect$inet6(r7, &(0x7f0000000100)={0x2, 0x4e23, 0x0, @mcast1, 0x4}, 0x1c)
r8 = socket$netlink(0x10, 0x3, 0x8000000004)
writev(r8, &(0x7f0000001200)=[{&(0x7f0000000080)="580000001400add427323b472545b45602117fffffff81004e230e227f000001925aa80020007b00090080007f000001e809000000ff0000f03ac710aa7d0000ffffffffffffffffffe7ee00000000000000000200000000", 0x58}], 0x1)
mbind(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x3, &(0x7f0000000000)=0x9, 0x8, 0x0)
ioctl$BTRFS_IOC_WAIT_SYNC(r5, 0x40089416, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
mbind(&(0x7f0000051000/0x4000)=nil, 0x4000, 0x3, &(0x7f0000000080)=0x2, 0x95, 0x2)

program did not crash
program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFNL_MSG_COMPAT_GET-syz_usb_connect-syz_usb_control_io$hid-socket$nl_generic-move_pages-syz_genetlink_get_family_id$tipc-sendmsg$TIPC_CMD_SHOW_NAME_TABLE-syz_usb_control_io$sierra_net
detailed listing:
executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFNL_MSG_COMPAT_GET(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000000c0)={0x14, 0x0, 0xb, 0x201, 0x0, 0x0, {0x3, 0x0, 0x1}}, 0x14}, 0x1, 0x0, 0x0, 0x24000080}, 0x10)
r1 = syz_usb_connect(0x0, 0x202, &(0x7f0000000180)=ANY=[@ANYBLOB="1201100152018b401e040740185d000000010902f00101040000030904"], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
move_pages(0x0, 0x1, &(0x7f00000001c0)=[&(0x7f0000ffd000/0x2000)=nil], &(0x7f0000000200)=[0x6], 0x0, 0x2)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000003c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_SHOW_NAME_TABLE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000280)={0x30, r3, 0x1, 0x0, 0x100000, {{}, {}, {0x14, 0x19, {0x2, 0x1, 0x0, 0x8}}}}, 0x30}, 0x1, 0x0, 0x0, 0x404c0c0}, 0x9004)
syz_usb_control_io$sierra_net(r1, 0x0, &(0x7f0000000200)={0x1c, &(0x7f0000000140)={0x40, 0x15}, 0x0, 0x0})

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH-write$tun-syz_open_dev$video-ioctl$VIDIOC_ENUM_FRAMEINTERVALS-syz_usb_control_io$hid-syz_usb_control_io$uac1-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)
r11 = syz_open_dev$video(&(0x7f0000000240), 0x75, 0x700)
ioctl$VIDIOC_ENUM_FRAMEINTERVALS(r11, 0xc034564b, &(0x7f0000000040)={0x0, 0x42474752, 0x780, 0x438, 0x3, @stepwise={{0x2, 0x7ffd}, {0x2, 0xfff}, {0x5, 0xd}}})
syz_usb_control_io$hid(r2, 0x0, 0x0)
syz_usb_control_io$uac1(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000200)={0x2c, &(0x7f0000000080)={0x40, 0x0, 0x6d, {0x6d, 0x9, "bdb13dfb44b37c08c39d12ffa735d939196ab6477ac89ced78ccff173c8813580b971887eba0eee5692a2882303f5eb1b780b70505adcb45f4524aadc71176d27d583a1ac8bb2cddbb578fc3efe12de33bb62965a8aa1129b36ad15dbbdca1d8a1848127d6d82487d60637"}}, &(0x7f0000000680)=ANY=[@ANYBLOB="00031000e5c2b2ac010a9df61e82e4ee5eb66e8f12c5d6e914646b6e794100"], &(0x7f0000000140)={0x0, 0xf, 0x2d, {0x5, 0xf, 0x2d, 0x2, [@ssp_cap={0x10, 0x10, 0xa, 0xaf, 0x1, 0xff, 0xf, 0x7, [0xc0]}, @ssp_cap={0x18, 0x10, 0xa, 0x7, 0x3, 0xb507, 0x1100, 0x1c94, [0xffc0, 0xc0, 0xffc000]}]}}, &(0x7f0000000180)={0x20, 0x29, 0xf, {0xf, 0x29, 0xf, 0x1, 0x2, 0x6d, "0fdbcd95", "d0cdc9a6"}}, &(0x7f00000001c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xfb, 0x10, 0x2, 0x3, 0x5, 0x2, 0x8}}}, &(0x7f00000008c0)={0x84, &(0x7f0000000240)={0x40, 0x1, 0xb3, "1b43e62ee6f30a891f3d615d8a6c75e1d31dad1bb642ad37acf4e3eff155e9e7464e45e3b53084e1df913377bb97de43629d7373bd40a308179ba18408a0d25e1b40eaed1c4703d846b706a717d05c637c16b85b8560be10f5b60e6ffc918ed5ce7fabd4bf9c7f8244b1019a7893c03f5f85ed1dec5e0d663ac32cdc8c537dcb81f983069e7da5f370086aeecc89cb6ab3a3ce78ba51ab779bb024116c1cc56d282324278a049025a19797565039fd5f2b32e0"}, &(0x7f0000000a40)={0x0, 0xa, 0x1, 0x1}, &(0x7f0000000500)={0x0, 0x8, 0x1, 0xfe}, &(0x7f0000000540)={0x20, 0x0, 0x4, {0x1, 0x2}}, &(0x7f00000005c0)={0x20, 0x0, 0x8, {0x20, 0x8, [0xff]}}, &(0x7f0000000600)={0x40, 0x7, 0x2}, &(0x7f0000000640)={0x40, 0x9, 0x1, 0x9}, &(0x7f0000000580)={0x40, 0xb, 0x2, "caf4"}, &(0x7f00000006c0)={0x40, 0xf, 0x2, 0x10}, &(0x7f0000000700)={0x40, 0x13, 0x6, @local}, &(0x7f0000000740)={0x40, 0x17, 0x6, @local}, &(0x7f0000000780)={0x40, 0x19, 0x2, "76b4"}, &(0x7f00000007c0)={0x40, 0x1a, 0x2, 0x8000}, &(0x7f0000000800)={0x40, 0x1c, 0x1}, &(0x7f0000000840)={0x40, 0x1e, 0x1, 0x1}, &(0x7f0000000880)={0x40, 0x21, 0x1, 0xf2}})
syz_usb_control_io$hid(r2, 0x0, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_control_io$cdc_ecm-syz_usb_control_io$cdc_ecm-socket$nl_generic-syz_usb_control_io$cdc_ncm-syz_usb_control_io-syz_usb_control_io-syz_usb_control_io$hid-syz_usb_control_io-syz_usb_control_io$cdc_ecm-syz_usb_control_io$cdc_ncm-syz_usb_control_io$uac1-syz_usb_control_io-syz_usb_control_io$uac1-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$hid-syz_usb_control_io$printer-syz_usb_control_io$cdc_ncm-syz_usb_control_io$cdc_ecm-syz_usb_control_io$printer-syz_usb_control_io$rtl8150
detailed listing:
executing program 0:
r0 = syz_usb_connect(0x2, 0x24, &(0x7f00000007c0)=ANY=[@ANYBLOB="12010000ed3ec908cd0cb300ea2d010203010902120001000000000904"], 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000000)={0x1c, &(0x7f0000000240)=ANY=[], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
syz_usb_control_io$cdc_ncm(r0, 0x0, &(0x7f00000003c0)={0x44, &(0x7f0000000500)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, &(0x7f00000000c0)={0x14, &(0x7f0000000040)={0x0, 0x23, 0x19, {0x19, 0xe, "101a14a768fb68232590edb80689af7678ad6b083c6752"}}, &(0x7f0000000080)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f0000000200)={0x1c, &(0x7f0000000100)={0x0, 0xf, 0x4f, "591cfd6730c121d0ce0ce7be96008f0346f59936f93e628a004af4ebbf00838989e44d31538af33896f2394eacf994524d96b535f2c1ee98c4e32303fe931e56fb8ac40a1afcb92c18b65b8bc584c3"}, &(0x7f0000000180)={0x0, 0xa, 0x1, 0x5}, &(0x7f00000001c0)={0x0, 0x8, 0x1, 0xa0}})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, &(0x7f0000000500)={0x34, &(0x7f0000000240)={0x40, 0xe, 0x52, "2761cc415ac1b8ad5be7fce9aed2538b445321fcd836d0da6054ac60f06d6b69017839ec8f54b2240386536d0aaa2768d077cd8813da7dd6d385027b6fd534459fbea274b6ba2667385fc3ff151e65e93c55"}, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$rtl8150(r0, 0x0, 0x0)

program did not crash
single: failed to extract reproducer
bisect: bisecting 24 programs with base timeout 30s
testing program (duration=36s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): [13, 8, 19, 30, 9, 14, 18, 18, 12, 13, 8, 8, 24, 29, 25, 3, 14, 13, 8, 8, 8, 9, 6, 29]
detailed listing:
executing program 3:
r0 = socket$inet6(0xa, 0x4, 0x1)
sendto$inet6(r0, 0x0, 0x0, 0x24048048, &(0x7f0000000100)={0xa, 0x4c20, 0x4, @loopback, 0x3}, 0x1c)
getsockopt$inet_int(r0, 0x0, 0xe, 0x0, &(0x7f0000000500)=0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)
bind$alg(0xffffffffffffffff, &(0x7f0000000000)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb-camellia-aesni\x00'}, 0x58)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$USBDEVFS_SETINTERFACE(0xffffffffffffffff, 0x80045510, &(0x7f0000000000))
getsockopt$inet6_mptcp_buf(r2, 0x11c, 0x4, &(0x7f0000000000)=""/152, &(0x7f00000000c0)=0x98)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000180)="420fc7bc4898580000640f01c50f01c566baf80cb864c95782ef66bafc0cec67670f1b0166b8fb008ec046d9c3c442b90a2c81c442812852fcc744240012000000c74424020b000000ff1c24", 0x4c}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_SET_REGS(r1, 0x4090ae82, &(0x7f00000005c0)={[0x5836, 0x8, 0x7, 0x4000000000000e52, 0x1, 0x5479, 0x1041, 0x200000000006, 0xfffffffffffffffd, 0x1, 0xfffffffffffffffe, 0x100000000, 0x1, 0x40000000009, 0x8000000000005, 0x10000800040068], 0xd000, 0x80})
ioctl$KVM_RUN(r1, 0xae80, 0x0)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="041817aaaaaaaaaa10"], 0x1a)
executing program 0:
userfaultfd(0x80801)
socket$nl_netfilter(0x10, 0x3, 0xc)
syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
socket$inet(0x2, 0x3, 0x2)
creat(&(0x7f0000000140)='./file0\x00', 0xf1)
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x20000080)
sendmsg$NLBL_UNLABEL_C_STATICADD(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)={0x0}, 0x8, 0x3000000000002, 0x0, 0x80}, 0x0)
executing program 3:
r0 = syz_usb_connect(0x2, 0x24, &(0x7f00000007c0)=ANY=[@ANYBLOB="12010000ed3ec908cd0cb300ea2d010203010902120001000000000904"], 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000000)={0x1c, &(0x7f0000000240)=ANY=[], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$ETHTOOL_MSG_DEBUG_SET(r1, &(0x7f0000001540)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000001c0)=ANY=[@ANYBLOB='D\x00\x00\x00', @ANYRES16=r2, @ANYBLOB="0100000000000000000008000000180001801400020073797a5f74756e00000000000000000018000280080002002000000004000100080004"], 0x44}, 0x1, 0x0, 0x0, 0x10}, 0x4008014)
syz_usb_control_io$cdc_ncm(r0, 0x0, &(0x7f00000003c0)={0x44, &(0x7f0000000500)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, &(0x7f00000000c0)={0x14, &(0x7f0000000040)={0x0, 0x23, 0x19, {0x19, 0xe, "101a14a768fb68232590edb80689af7678ad6b083c6752"}}, &(0x7f0000000080)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f0000000200)={0x1c, &(0x7f0000000100)={0x0, 0xf, 0x4f, "591cfd6730c121d0ce0ce7be96008f0346f59936f93e628a004af4ebbf00838989e44d31538af33896f2394eacf994524d96b535f2c1ee98c4e32303fe931e56fb8ac40a1afcb92c18b65b8bc584c3"}, &(0x7f0000000180)={0x0, 0xa, 0x1, 0x5}, &(0x7f00000001c0)={0x0, 0x8, 0x1, 0xa0}})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x202, 0x0)
r1 = openat$ppp(0xffffffffffffff9c, &(0x7f00000004c0), 0x40082, 0x0)
ioctl$PPPIOCNEWUNIT(r1, 0xc004743e, &(0x7f0000000140))
r2 = syz_open_dev$loop(&(0x7f0000000100), 0x2, 0x2001)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000200)='blkio.bfq.empty_time\x00', 0x275a, 0x0)
write$binfmt_misc(r3, &(0x7f0000000040), 0xe09)
ioctl$LOOP_CONFIGURE(r2, 0x4c0a, &(0x7f00000002c0)={r3, 0x0, {0x2a00, 0x80010000, 0x0, 0x2, 0x0, 0x0, 0x0, 0x14, 0x1c, "fee8a2ab78fc979fd1e00d96072000001ea89de2b7fb0000e60080b8785d960001000000000000000000007efff100004000", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c527d3d458dd4992861ac00", "f4bd000000801900", [0x8, 0xffffffff9673e35d]}})
fallocate(r2, 0x3, 0x0, 0x5345)
ioctl$PPPIOCSFLAGS1(r1, 0x40047459, &(0x7f0000000080)=0x40)
pwritev(r1, &(0x7f0000000040)=[{&(0x7f0000000180)="80fd02000060", 0x6}], 0x1, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000100)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r6 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r6, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f000000c280)={&(0x7f0000000100)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000050000080900010073797a30000000005c000000030a03000000000000000000050000000900010073797a30000000000900030073797a300000000008000c40000000032800048008000240000000120800014000000000140004"], 0xa4}}, 0x0)
r7 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_fanout(r7, 0x107, 0x12, &(0x7f0000000000)={0x1, 0x8000}, 0x4)
r8 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r8, 0x107, 0xf, &(0x7f0000000100)=0x9, 0x4)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f00000000c0)={'ip6gretap0\x00', <r9=>0x0})
r10 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='cpu.stat\x00', 0x275a, 0x0)
write$cgroup_devices(r10, &(0x7f0000000000)=ANY=[], 0x9)
mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1, 0x10012, r10, 0x0)
setsockopt$packet_int(r10, 0x107, 0x10, &(0x7f0000000340)=0x10000, 0x4)
sendto$packet(r8, &(0x7f00000001c0)="0b032200e0ff25000200475400f6a13bb10000a88800080048031074bee5786e7525fccb3f8c5c4cf38abe4bf220a5a95edf3ce53aa6a8", 0x37, 0x0, &(0x7f0000000140)={0x11, 0x0, r9, 0x1, 0x0, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x31}}, 0x14)
ioctl$sock_SIOCETHTOOL(r6, 0x8946, &(0x7f0000000080)={'lo\x00', &(0x7f0000000240)=@ethtool_eeprom={0xc, 0x0, 0x0, 0xed, "097a4d1d5c0696331245bf3318a58af28fc030e6216281672da3384abbb5c5f18641c67f15b0b2346e6ea2dac9d016813f2d1fb13fe66a2f9ab535abffb52bbbf7b5fcd4babaf9eafb86ce67dfb6dd52b08026e9d861b1259148943cd0c4d6022f14bb386a8b6886cceecb16ad328763079aea5d411949b984a478ef78c9bc9a6167db8222445e74fc6a0bea7159fec211af693aeb4f05105150ae4c094f98f6cd8fc9e6a90533d51b3e3b0ec21dc494dea0b82f9d9b7d554ee6e890c52790392782ab4f2d9a3d332931cad166114c41822d8563437a5bd9e86022ce66e54a144940cbccccd5f35fcc21512a6e"}})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r5, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000000180)=[@text16={0x10, 0x0}], 0x1, 0x48, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r4, 0xffffffffffffffff, &(0x7f0000fe5000/0x18000)=nil, &(0x7f0000000200)=[@textreal={0x8, &(0x7f0000000000)="f00fc7484d36f08266060266b9800000c00f326635000400000f308bc1de780066b9aa0200000f3266b9ab0900000f32f2f031b3e759dc2c", 0x14}], 0x1, 0x9f6a364b3fac2a72, 0x0, 0x0)
r11 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r11, &(0x7f0000000140)={0x0, 0x3, &(0x7f0000000080)={&(0x7f00000000c0)=ANY=[@ANYBLOB="020300090a00000000000000000000000300060000000e0002000000e000000900000000000000000200010000000000000604fdec19ecd9030005000000000002"], 0x50}}, 0x0)
executing program 2:
socket$inet6(0xa, 0x5, 0x0)
close(0x3)
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = dup(r0)
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r1, 0x84, 0x64, &(0x7f00000000c0)=[@in={0x2, 0x4e24, @dev={0xac, 0x14, 0x14, 0x22}}], 0x10)
sendmsg$inet6(r0, &(0x7f0000000800)={&(0x7f0000000080)={0xa, 0x4e24, 0x8, @loopback, 0x4}, 0x1c, &(0x7f0000000180)=[{&(0x7f00000004c0)="99", 0x1}], 0x1}, 0x4048043)
sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x44004, 0x0, 0x0)
r2 = socket$inet6_sctp(0xa, 0x1, 0x84)
sendmsg$inet6(r2, &(0x7f0000000800)={&(0x7f0000000080)={0xa, 0x4e24, 0x8, @loopback={0x300}, 0x6}, 0x1c, &(0x7f0000000380)=[{&(0x7f00000004c0)="88", 0x1}], 0x1}, 0x4048043)
executing program 2:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = socket$inet6(0xa, 0x1, 0x8010000000000084)
sendmmsg$inet6(r2, &(0x7f0000004cc0)=[{{&(0x7f0000000040)={0xa, 0x4e22, 0x1ff, @private0, 0x401}, 0x1c, &(0x7f00000001c0)=[{&(0x7f0000000600)="9302d3cd06ca", 0x6}], 0x1}}], 0x1, 0x4840)
shutdown(r2, 0x1)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000540)={0x0, @in6={{0xa, 0x4e22, 0x400, @empty, 0x6}}, 0x7d, 0x0, 0x40, 0x5, 0x0, 0x4, 0x1}, &(0x7f00000002c0)=0x9c)
ioctl$KVM_CREATE_IRQCHIP(r1, 0xae60)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000080)=[@text64={0x40, &(0x7f0000000140)="410f8b36dbe683660f38cf1c5267470f01f82e660f2e425db95f090000b891c70000ba000000000f30650f94e92e430fc76cf30542dbdf66ba4000b000ee66440f38817705", 0x45}], 0x1, 0x72, 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r3, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000100)=[@text64={0x40, 0x0}], 0x1, 0x43, 0x0, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
r4 = syz_open_dev$cec(&(0x7f0000000080), 0x0, 0x0)
ioctl$CEC_S_MODE(r4, 0x40046109, &(0x7f00000001c0)=0xd0)
ioctl$KVM_SET_IRQCHIP(r1, 0x8208ae63, &(0x7f0000000380)={0x2, 0x0, @ioapic={0x0, 0xe6, 0x2, 0xfffffffe, 0x0, [{0x2, 0x4, 0x87}, {0x9, 0x8, 0x5, '\x00', 0xf}, {0xff, 0x7f, 0xd3, '\x00', 0x69}, {0x0, 0x5, 0xf5, '\x00', 0xf}, {0x7, 0x9, 0xf5, '\x00', 0xb4}, {0xb, 0x4, 0x0, '\x00', 0xff}, {0x75, 0xd5, 0xf1, '\x00', 0x7f}, {0x3, 0x9, 0xc}, {0x7f, 0x5, 0x4a, '\x00', 0x8}, {0xd7, 0xd, 0x8, '\x00', 0x6}, {0x0, 0x28, 0x80, '\x00', 0xdc}, {0xfb, 0x58, 0xff, '\x00', 0x1}, {0xfe, 0x7, 0x26}, {0xcf, 0x3, 0x8, '\x00', 0x86}, {0xf, 0xee, 0x8, '\x00', 0x3}, {0x39, 0x2, 0x6, '\x00', 0xb}, {0x9, 0x6, 0x2, '\x00', 0x9}, {0x4, 0x9, 0x5, '\x00', 0xe9}, {0x7, 0x2, 0x7, '\x00', 0xc2}, {0x0, 0x80, 0xe, '\x00', 0x1}, {0x1, 0xc, 0x4, '\x00', 0x7c}, {0x10, 0x6, 0x92, '\x00', 0x10}, {0x1, 0x3, 0xf3, '\x00', 0x4}, {0x7, 0x6, 0x4}]}})
executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
prctl$PR_SET_ENDIAN(0x14, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x20241, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(r2, r3, &(0x7f0000fda000/0x18000)=nil, &(0x7f0000000280)=[@text64={0x40, &(0x7f0000000040)="b969080000b80b00000022000000000f3036410f79450041dee60f4dc3b8010000000f01c166b821010f00d00f090fc76c17000f00d80f01d10f01c2", 0xfffffffffffffec8}], 0x1, 0x4, 0x0, 0x0)
ioctl$KVM_CAP_ENFORCE_PV_FEATURE_CPUID(r3, 0x4068aea3, &(0x7f00000001c0)={0xbe, 0x0, 0x1})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
r4 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r5 = memfd_create(&(0x7f00000000c0)='[\v\xdbX\xae[\x1a\xa9\xfd\xfa\xad\xd1md\xc8\x85HX\xa9%\f\x1ae\xe0\x00\x00\x00\x00\xfb\xff\x00\x00\x81\x9eG\xd9,\xe2\xc6a\x9f\xe8\xf1\xb3\x86\xe2+Op\xd0\xa2\x82\x1eb;(\xb5\xe1jS\xd6\x91%||\xa0\x8ez\xadT\xc8\f\xe5\x89\xbf3:\x99\x1e\xac`\xc3\xcf\xd3\xae\xd2\a\x11\xa9\xa5^\xff\xf5\x95\xd2q#\xc6\xca\x97\x9d\xcb\x1e\x80\xd6\xd5%N&\xf8#\x80z8Z\xd2}\xf5\xe4\x9f5\x9b\x01\xf9t\xbb\x1er\x14\xdb\xd3\xcd\xfd\xbdnC\xec', 0x0)
fsetxattr$security_ima(r5, &(0x7f0000000040), &(0x7f0000000080)=ANY=[@ANYBLOB="06"], 0x2, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r6, &(0x7f00000000c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000000)=ANY=[@ANYBLOB="1c000000100001a4745c345971df160003000000060001"], 0x1c}}, 0x0)
execveat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', &(0x7f0000000280)={[&(0x7f0000000180)='.&#\x00', &(0x7f00000002c0)='\x8dV\xe2\x00', &(0x7f0000000240)='$\x00']}, &(0x7f0000000380)={[&(0x7f00000002c0), &(0x7f0000000300)='\x96\xaf/\xde\x00\x02\x00\x00\x00', &(0x7f0000000340)=',}#,]/,/^**][-\x00']}, 0x400)
r7 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r7, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@textreal={0x8, &(0x7f00000001c0)="2e0f01c866b9800000c00f326635000400000f300f20e06635800000000f22e0360fc77df3ff9e0000f2d99806000fa7c0b800008ed866db440026da02", 0x3d}], 0x1, 0x1, 0x0, 0x0)
ioctl$KVM_RUN(r7, 0xae80, 0x0)
executing program 2:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
mkdir(&(0x7f0000000200)='./file1\x00', 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x0, &(0x7f0000000400)=ANY=[@ANYBLOB='fd='])
mount(0x0, &(0x7f0000000140)='./file1\x00', &(0x7f0000000040)='autofs\x00', 0x0, &(0x7f0000000400))
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
sync_file_range(r1, 0x7fff, 0x6, 0x4)
sendmsg$NFT_BATCH(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000700)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x301, 0x0, 0x0, {0x1, 0x0, 0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz1\x00'}]}, @NFT_MSG_NEWCHAIN={0x40, 0x3, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_NAME={0x9, 0x3, 'syz1\x00'}, @NFTA_CHAIN_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_CHAIN_HOOK={0x14, 0x4, 0x0, 0x1, [@NFTA_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x1b2fd2c5}, @NFTA_HOOK_HOOKNUM={0x8, 0x1, 0x1, 0x0, 0x3}]}]}, @NFT_MSG_NEWTABLE={0x28, 0x0, 0xa, 0x5, 0x0, 0x0, {0x1, 0x0, 0x8}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz1\x00'}, @NFTA_TABLE_FLAGS={0x8, 0x2, 0x1, 0x0, 0x1}]}], {0x14}}, 0xb0}, 0x1, 0x0, 0x0, 0x20004000}, 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
mknodat$null(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x103)
r3 = syz_open_dev$sg(&(0x7f0000000080), 0x0, 0x0)
ioctl$SG_GET_SG_TABLESIZE(r3, 0x227f, &(0x7f00000000c0))
r4 = openat$fuse(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
mount$fuse(0x0, &(0x7f00000002c0)='./file0\x00', &(0x7f00000020c0), 0x2010412, &(0x7f0000000340)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r4, @ANYBLOB=',rootmode=00000000000000000100000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0])
sendmsg$NFT_MSG_GETOBJ(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000400)=ANY=[@ANYBLOB="34000000150a03000000000000000000020000000900020073797a31000000000800034000000001090001"], 0x34}}, 0x0)
r5 = syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000000)={0x0, &(0x7f00000004c0)=[@nested_load_syzos={0x136, 0x14d, {0x3, 0x3, [@code={0xa, 0x89, {"c74424008e000000c7442402200e5456ff1c24c744240000000080c744240204000000c7442406000000000f0114240f22d5470f07c7442400d921b9a2c744240256da7338c7442406000000000f011424f2410fd0440300c744240077000000c744240200000100ff2c244f0fc7586c400f7942670f0011"}}, @out_dx={0x6a, 0x28, {0x397e, 0x4, 0xfffffffffffffff9}}, @nested_load_code={0x12e, 0x64, {0x3, "f3470f32470f22450f22963e360f01c8c744240008000000c744240209000000ff1c240f01d1b9800000c00f3235010000000f30c4417a7e14357b00000066bad10466b8004066ef640f01f8"}}, @cpuid={0x64, 0x18, {0xb, 0x5}}]}}, @nested_amd_set_intercept={0x181, 0x30, {0x0, 0x0, 0x8000000000000001}}, @nested_load_code={0x12e, 0x88, {0x0, "b97c020000b805000000ba000000000f3047ded9b93a0000000f3236430f40efb9c3080000b807000000ba000000000f30c4c1fe2c1e66430fc730c7442400d86d0000c744240230000000c7442406000000000f011c24c74424001a010000c744240207000000ff1c24f04483689500"}}, @enable_nested={0x12c, 0x18}], 0x21d})
recvmmsg(r0, &(0x7f00000060c0)=[{{&(0x7f0000001880)=@ieee802154, 0x80, &(0x7f0000001cc0)=[{&(0x7f0000001900)=""/71, 0x47}, {&(0x7f0000001980)=""/118, 0x76}, {&(0x7f0000001a00)=""/131, 0x83}, {&(0x7f0000001ac0)=""/147, 0x93}, {&(0x7f0000001b80)=""/57, 0x39}, {&(0x7f0000001bc0)=""/54, 0x36}, {&(0x7f0000003100)=""/4096, 0x1000}, {&(0x7f0000001c00)=""/179, 0xb3}], 0x8}, 0x8001}, {{&(0x7f0000001d40)=@pppoe={0x18, 0x0, {0x0, @multicast}}, 0x80, &(0x7f00000042c0)=[{&(0x7f0000001dc0)=""/84, 0x54}, {&(0x7f0000001e40)=""/74, 0x4a}, {&(0x7f0000001ec0)=""/35, 0x23}, {&(0x7f0000001f00)=""/199, 0xc7}, {&(0x7f0000002000)=""/126, 0x7e}, {&(0x7f0000004100)=""/76, 0x4c}, {&(0x7f0000002080)=""/20, 0x14}, {&(0x7f0000004180)=""/92, 0x5c}, {&(0x7f0000004200)=""/142, 0x8e}], 0x9, &(0x7f0000004380)=""/201, 0xc9}, 0x5}, {{&(0x7f0000004480)=@l2={0x1f, 0x0, @fixed}, 0x80, &(0x7f0000004780)=[{&(0x7f0000004500)=""/223, 0xdf}, {&(0x7f0000004600)=""/102, 0x66}, {&(0x7f0000004680)=""/248, 0xf8}], 0x3, &(0x7f00000047c0)=""/181, 0xb5}, 0x3}, {{&(0x7f0000004880)=@phonet, 0x80, &(0x7f0000004980)=[{&(0x7f0000004900)=""/83, 0x53}], 0x1, &(0x7f00000049c0)=""/5, 0x5}, 0x4f50}, {{&(0x7f0000004a00)=@sco, 0x80, &(0x7f0000004c80)=[{&(0x7f0000004a80)=""/68, 0x44}, {&(0x7f0000004b00)=""/221, 0xdd}, {&(0x7f0000004c00)=""/55, 0x37}, {&(0x7f0000004c40)=""/1, 0x1}], 0x4, &(0x7f0000004cc0)=""/1, 0x1}, 0xc}, {{&(0x7f0000004d00)=@tipc=@name, 0x80, &(0x7f0000006000)=[{&(0x7f0000004d80)=""/93, 0x5d}, {&(0x7f0000004e00)=""/233, 0xe9}, {&(0x7f0000004f00)=""/207, 0xcf}, {&(0x7f0000005000)=""/4096, 0x1000}], 0x4, &(0x7f0000006040)=""/85, 0x55}, 0x8}], 0x6, 0x140, &(0x7f0000006240)={0x0, 0x3938700})
recvmmsg(r2, &(0x7f0000001740)=[{{&(0x7f0000000240)=@x25, 0x80, &(0x7f0000000100)=[{&(0x7f00000007c0)=""/139, 0x8b}, {&(0x7f0000000880)=""/131, 0x83}, {&(0x7f0000000940)=""/168, 0xa8}], 0x3, &(0x7f00000001c0)=""/9, 0x9}, 0x6}, {{&(0x7f0000000440)=@generic, 0x80, &(0x7f0000000dc0)=[{&(0x7f0000000a00)=""/206, 0xce}, {&(0x7f0000000b00)=""/223, 0xdf}, {&(0x7f0000000c00)=""/141, 0x8d}, {&(0x7f0000000cc0)=""/252, 0xfc}, {&(0x7f0000000300)=""/53, 0x35}], 0x5, &(0x7f0000000e40)=""/198, 0xc6}, 0x7}, {{&(0x7f0000000f40)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @private}}}, 0x80, &(0x7f00000003c0)=[{&(0x7f0000000fc0)=""/174, 0xae}], 0x1}, 0x4}, {{0x0, 0x0, &(0x7f00000015c0)=[{&(0x7f0000001080)=""/69, 0x45}, {&(0x7f0000001100)=""/116, 0x74}, {&(0x7f0000001180)=""/26, 0x1a}, {&(0x7f00000011c0)=""/247, 0xf7}, {&(0x7f00000012c0)=""/117, 0x75}, {&(0x7f0000001340)=""/63, 0x3f}, {&(0x7f0000001380)=""/116, 0x74}, {&(0x7f0000001400)=""/243, 0xf3}, {&(0x7f0000002100)=""/4096, 0x1000}, {&(0x7f0000001500)=""/186, 0xba}], 0xa, &(0x7f0000001680)=""/148, 0x94}, 0x4}], 0x4, 0x11001, &(0x7f0000001840))
ioctl$KVM_GET_STATS_FD_cpu(r5, 0xaece)
executing program 2:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
syz_open_dev$vim2m(&(0x7f0000000000), 0x3ff, 0x2) (async)
r1 = syz_open_dev$vim2m(&(0x7f0000000000), 0x3ff, 0x2)
ioctl$vim2m_VIDIOC_S_FMT(r1, 0xc0d05605, &(0x7f0000000040)={0x2, @raw_data="38175ed207001e865955595663236001fa07be47030889be80d49d06a746282b8fef2c2f8769f0ee07cab1907ee285d53c42e0a921f91991520631345f02a7a36722d36443983bf3d734ee9f55d2514d0eb113763bf52f582f87805a7b8867bc0400a8593f928a8194a934b7b615b30a89c87f515f708c750218968027c43480c0df58b0ed48a110ee63b82cbd218c748b7b768015a7b633cf69d3771007105ecaf6f7c9b03c1d6d2db5210febe3a652a8035515e3513046406b628d9e02d09e43895d6c93457d59"})
r2 = openat$vnet(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
ioctl$VHOST_NET_SET_BACKEND(r2, 0x4008af30, &(0x7f00000000c0)={0x2})
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) (async)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
socket$kcm(0x2, 0xa, 0x2) (async)
r3 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r3, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
write$tun(r0, &(0x7f0000000240)={@val={0x3, 0x800}, @val={0x1, 0x0, 0x0, 0x0, 0x14}, @ipv4=@icmp={{0x5, 0x4, 0x0, 0x0, 0x5c, 0x1400, 0x0, 0x0, 0x1, 0x0, @private=0xa010100, @local}, @redirect={0x5, 0x1, 0x0, @multicast2, {0x10, 0x4, 0x2, 0x10, 0x2, 0x68, 0xff, 0x7, 0x84, 0x4, @initdev={0xac, 0x1e, 0x0, 0x0}, @local, {[@generic={0x7, 0xd, "1470c7f26eb8370a02e95f"}, @timestamp_addr={0x44, 0x1c, 0x26, 0x1, 0x7, [{@loopback, 0x7}, {@loopback, 0x80000000}, {@initdev={0xac, 0x1e, 0x1, 0x0}, 0x1}]}]}}}}}, 0x6a)
executing program 0:
r0 = socket$inet6(0xa, 0x4, 0x1)
sendto$inet6(r0, 0x0, 0x0, 0x24048048, 0x0, 0x0)
getsockopt$inet_int(r0, 0x0, 0xe, 0x0, &(0x7f0000000500)=0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)
bind$alg(0xffffffffffffffff, &(0x7f0000000000)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb-camellia-aesni\x00'}, 0x58)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$USBDEVFS_SETINTERFACE(0xffffffffffffffff, 0x80045510, &(0x7f0000000000))
getsockopt$inet6_mptcp_buf(r2, 0x11c, 0x4, &(0x7f0000000000)=""/152, &(0x7f00000000c0)=0x98)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000180)="420fc7bc4898580000640f01c50f01c566baf80cb864c95782ef66bafc0cec67670f1b0166b8fb008ec046d9c3c442b90a2c81c442812852fcc744240012000000c74424020b000000ff1c24", 0x4c}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_SET_REGS(r1, 0x4090ae82, &(0x7f00000005c0)={[0x5836, 0x8, 0x7, 0x4000000000000e52, 0x1, 0x5479, 0x1041, 0x200000000006, 0xfffffffffffffffd, 0x1, 0xfffffffffffffffe, 0x100000000, 0x1, 0x40000000009, 0x8000000000005, 0x10000800040068], 0xd000, 0x80})
ioctl$KVM_RUN(r1, 0xae80, 0x0)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="041817aaaaaaaaaa10"], 0x1a)
executing program 2:
userfaultfd(0x80801)
socket$nl_netfilter(0x10, 0x3, 0xc)
syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
socket$inet(0x2, 0x3, 0x2)
creat(&(0x7f0000000140)='./file0\x00', 0xf1)
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x20000080)
sendmsg$NLBL_UNLABEL_C_STATICADD(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)={0x0}, 0x8, 0x3000000000002, 0x0, 0x80}, 0x0)
executing program 0:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
openat$rtc(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)
r1 = memfd_secret(0x0)
ioctl$RTC_WKALM_SET(r1, 0x4028700f, &(0x7f0000000140)={0x0, 0x0, {0x0, 0x0, 0x0, 0x7ff, 0x0, 0x50000}})
dup(r0)
r2 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x105080)
ioctl$BLKROGET(r2, 0x125e, &(0x7f0000000040))
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f0000000000), 0x45)
executing program 2:
r0 = syz_usb_connect(0x2, 0x24, &(0x7f00000007c0)=ANY=[@ANYBLOB="12010000ed3ec908cd0cb300ea2d010203010902120001000000000904"], 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, &(0x7f0000000000)={0x1c, &(0x7f0000000240)=ANY=[], 0x0, 0x0})
syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
syz_usb_control_io$cdc_ncm(r0, 0x0, &(0x7f00000003c0)={0x44, &(0x7f0000000500)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, &(0x7f00000000c0)={0x14, &(0x7f0000000040)={0x0, 0x23, 0x19, {0x19, 0xe, "101a14a768fb68232590edb80689af7678ad6b083c6752"}}, &(0x7f0000000080)={0x0, 0x3, 0x1a, {0x1a}}}, &(0x7f0000000200)={0x1c, &(0x7f0000000100)={0x0, 0xf, 0x4f, "591cfd6730c121d0ce0ce7be96008f0346f59936f93e628a004af4ebbf00838989e44d31538af33896f2394eacf994524d96b535f2c1ee98c4e32303fe931e56fb8ac40a1afcb92c18b65b8bc584c3"}, &(0x7f0000000180)={0x0, 0xa, 0x1, 0x5}, &(0x7f00000001c0)={0x0, 0x8, 0x1, 0xa0}})
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ncm(r0, 0x0, 0x0)
syz_usb_control_io$cdc_ecm(r0, 0x0, 0x0)
syz_usb_control_io$printer(r0, 0x0, &(0x7f0000000500)={0x34, &(0x7f0000000240)={0x40, 0xe, 0x52, "2761cc415ac1b8ad5be7fce9aed2538b445321fcd836d0da6054ac60f06d6b69017839ec8f54b2240386536d0aaa2768d077cd8813da7dd6d385027b6fd534459fbea274b6ba2667385fc3ff151e65e93c55"}, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$rtl8150(r0, 0x0, 0x0)
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)
r11 = syz_open_dev$video(&(0x7f0000000240), 0x75, 0x700)
ioctl$VIDIOC_ENUM_FRAMEINTERVALS(r11, 0xc034564b, &(0x7f0000000040)={0x0, 0x42474752, 0x780, 0x438, 0x3, @stepwise={{0x2, 0x7ffd}, {0x2, 0xfff}, {0x5, 0xd}}})
syz_usb_control_io$hid(r2, 0x0, 0x0)
syz_usb_control_io$uac1(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000200)={0x2c, &(0x7f0000000080)={0x40, 0x0, 0x6d, {0x6d, 0x9, "bdb13dfb44b37c08c39d12ffa735d939196ab6477ac89ced78ccff173c8813580b971887eba0eee5692a2882303f5eb1b780b70505adcb45f4524aadc71176d27d583a1ac8bb2cddbb578fc3efe12de33bb62965a8aa1129b36ad15dbbdca1d8a1848127d6d82487d60637"}}, &(0x7f0000000680)=ANY=[@ANYBLOB="00031000e5c2b2ac010a9df61e82e4ee5eb66e8f12c5d6e914646b6e794100"], &(0x7f0000000140)={0x0, 0xf, 0x2d, {0x5, 0xf, 0x2d, 0x2, [@ssp_cap={0x10, 0x10, 0xa, 0xaf, 0x1, 0xff, 0xf, 0x7, [0xc0]}, @ssp_cap={0x18, 0x10, 0xa, 0x7, 0x3, 0xb507, 0x1100, 0x1c94, [0xffc0, 0xc0, 0xffc000]}]}}, &(0x7f0000000180)={0x20, 0x29, 0xf, {0xf, 0x29, 0xf, 0x1, 0x2, 0x6d, "0fdbcd95", "d0cdc9a6"}}, &(0x7f00000001c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xfb, 0x10, 0x2, 0x3, 0x5, 0x2, 0x8}}}, &(0x7f00000008c0)={0x84, &(0x7f0000000240)={0x40, 0x1, 0xb3, "1b43e62ee6f30a891f3d615d8a6c75e1d31dad1bb642ad37acf4e3eff155e9e7464e45e3b53084e1df913377bb97de43629d7373bd40a308179ba18408a0d25e1b40eaed1c4703d846b706a717d05c637c16b85b8560be10f5b60e6ffc918ed5ce7fabd4bf9c7f8244b1019a7893c03f5f85ed1dec5e0d663ac32cdc8c537dcb81f983069e7da5f370086aeecc89cb6ab3a3ce78ba51ab779bb024116c1cc56d282324278a049025a19797565039fd5f2b32e0"}, &(0x7f0000000a40)={0x0, 0xa, 0x1, 0x1}, &(0x7f0000000500)={0x0, 0x8, 0x1, 0xfe}, &(0x7f0000000540)={0x20, 0x0, 0x4, {0x1, 0x2}}, &(0x7f00000005c0)={0x20, 0x0, 0x8, {0x20, 0x8, [0xff]}}, &(0x7f0000000600)={0x40, 0x7, 0x2}, &(0x7f0000000640)={0x40, 0x9, 0x1, 0x9}, &(0x7f0000000580)={0x40, 0xb, 0x2, "caf4"}, &(0x7f00000006c0)={0x40, 0xf, 0x2, 0x10}, &(0x7f0000000700)={0x40, 0x13, 0x6, @local}, &(0x7f0000000740)={0x40, 0x17, 0x6, @local}, &(0x7f0000000780)={0x40, 0x19, 0x2, "76b4"}, &(0x7f00000007c0)={0x40, 0x1a, 0x2, 0x8000}, &(0x7f0000000800)={0x40, 0x1c, 0x1}, &(0x7f0000000840)={0x40, 0x1e, 0x1, 0x1}, &(0x7f0000000880)={0x40, 0x21, 0x1, 0xf2}})
syz_usb_control_io$hid(r2, 0x0, 0x0)
executing program 1:
sendmsg$IPSET_CMD_CREATE(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000001c0)={0x58, 0x2, 0x6, 0x5, 0x0, 0x0, {0x2, 0x0, 0x5}, [@IPSET_ATTR_REVISION={0x5, 0x4, 0x1}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0xc, 0x7, 0x0, 0x1, [@IPSET_ATTR_TIMEOUT={0x8, 0x6, 0x0}]}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_TYPENAME={0x11, 0x3, 'hash:net,net\x00'}]}, 0x58}, 0x1, 0x0, 0x0, 0x4890}, 0x0)
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
r3 = accept4(0xffffffffffffffff, &(0x7f0000000400)=@sco={0x1f, @none}, &(0x7f0000000380)=0x80, 0x0)
sendmsg$nl_generic(r3, &(0x7f0000000700)={&(0x7f0000000480)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f00000006c0)={&(0x7f00000004c0)={0x1e0, 0x24, 0x20, 0x70bd27, 0x25dfdbff, {0x8}, [@nested={0x14f, 0x10f, 0x0, 0x1, [@typed={0x14, 0x16, 0x0, 0x0, @ipv6=@mcast1}, @typed={0x6, 0x4d, 0x0, 0x0, @str='-\x00'}, @nested={0x4, 0xd4}, @generic="99da4f0b43e5ad65e90a5aa4c3dee1a0f10784898da4bc5361755dae210693d4468224e3f14c4128c0b289ae194d36d1458f6b35f7290f9ebe14bcb18c93f870c166e5c464fc86925d6636", @generic="64dfbddab6af4f3f766dab2b14648150bd2b1af6730024847f1b8de006dde7314f7633930464c7686155a46cf3947bd76bd2fc34891a84e694cba36149fe93682f52439d944caf14a80623451cb996343fdce2a737c8c6da753906adf3754f457629bbfa77f220e41e150d59ca0c545811726ace4b51d6073a156c213fa96e16aa3594fb37422d98277115a1ec525fa529fb8dc3ccf8fa6df37ba9ac61b7c84a80d607b6b2418aa885a6cfcf5d4437619a30a4d7518303ce3a4048465402805a00967b169ab4396a80183cebe48db092a24803aa5ce373518c660eeb", @nested={0x4, 0xc4}]}, @typed={0x7c, 0x31, 0x0, 0x0, @binary="1d7f39b49e745c6f4a327973e5c5aa6571269e094bbb8605e6ced0915c975671c384a98796ef7720456896bd9451a42a2b89ae94d28c73fe999c68c59b9f0e567137d639709c0ed7de0c8489cb0807378c3a208f89522a199db8daa120f0c35d0297dc32458c71580c287dd736c4fbd9a5684548375ab4c8"}]}, 0x1e0}}, 0x4000010)
sendmsg$IPCTNL_MSG_CT_NEW(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="4c00000000010104000000000000000800000000000000361400018008000100e000000108000200e00000010c0002800500010000000000140005800e000100736e6d705f74726170000000"], 0x4c}, 0x1, 0x0, 0x0, 0x4048040}, 0x0)
tee(r2, r0, 0x7, 0xd)
mq_notify(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x16, 0x1, @thr={0x0, 0x0}})
r4 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000003c0)={0x14, 0x3d, 0x301, 0x70bd25, 0xfffffffc, {0x1}}, 0x14}, 0x1, 0x0, 0x0, 0x448d3}, 0x0)
ioctl$KVM_CAP_EXIT_HYPERCALL(r1, 0x4068aea3, &(0x7f00000000c0)={0x79, 0x0, 0xc})
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_GET_DEBUGREGS(r5, 0x8080aea1, &(0x7f00000001c0))
r6 = socket$rds(0x15, 0x5, 0x0)
r7 = syz_io_uring_setup(0x964, &(0x7f0000000240)={0x0, 0x5af7, 0x4000, 0x0, 0x3dd}, &(0x7f0000000140), &(0x7f00000002c0))
mmap$IORING_OFF_CQ_RING(&(0x7f0000ff0000/0x1000)=nil, 0x1000, 0x2000005, 0x13, r7, 0x8000000)
bind$rds(r6, &(0x7f0000000840)={0x2, 0x0, @loopback}, 0x10)
r8 = syz_genetlink_get_family_id$devlink(&(0x7f0000000040), 0xffffffffffffffff)
r9 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$DEVLINK_CMD_PORT_GET(r9, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000000c0)={0x3c, r8, 0x1, 0x70bd27, 0x0, {0x54}, [{{@nsim={{0xe}, {0xf, 0x2, {'netdevsim', 0x0}}}, {0x8, 0x3, 0x1}}}]}, 0x3c}}, 0xc084)
sendmsg$DEVLINK_CMD_PORT_GET(r9, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000080)={0x14, r8, 0x1, 0x70bd25, 0x4, {0x54}}, 0x14}, 0x1, 0x0, 0x0, 0x4048890}, 0x0)
sendmsg$rds(r6, &(0x7f0000000000)={&(0x7f0000000040)={0x2, 0x0, @dev={0xac, 0x14, 0x14, 0x11}}, 0x10, 0x0, 0x0, &(0x7f0000000780)=[@rdma_args={0x37, 0x114, 0x1, {{}, {0x0}, &(0x7f0000000300)=[{&(0x7f0000002640)=""/102389, 0x18ff5}], 0x1, 0x1903d}}], 0x48}, 0x0)
syz_kvm_setup_cpu$x86(r1, r5, &(0x7f0000fe6000/0x18000)=nil, &(0x7f0000000080)=[@text32={0x20, 0x0}], 0x1, 0x40, 0x0, 0x0)
ioctl$KVM_SET_LAPIC(r5, 0x4400ae8f, &(0x7f0000000bc0)={"c718ae3ddd25e4c2826499cb6a055b56a5a7336f377a556f824db28eb6743cf045afd0e932534b9eb3b847abbcef63c85319991745999ed89ff49783a84d57cf175a89f8733d74a1bdddcb0a6c3f7535ef976e79da1b52de6403f6710d606fafaf685ec19f369b7829b12aa2b8cd2ab52f9c688683979cdb9516cb61f2adb9aefd44fce30bddb81ebefa818f31f60d89a4e390920c7ed0e2512fd59f719e734b0a1d1f3ff7babb54258a1585514aac353b21fe733671e0543929c06f72fc598939003ac6777f3497523536fd25ac4f1e265f5038fa7455f2cc6131d4a189a16b0f0b89e6a495e1d95b840c36488adc22cb2d1b8af57f6dce7214152ba1b3c0d3ad0a6db821518e44b24cb36a02d76ea11a1c45879fc77e7bb2af8c345ddddf49f41228df2114f2c27d16499fa36097a5015ad61a6a9484c09e0a2dfb50f7b7ca71135dc32804a80380a6e20e0ae03be775e472cd31d6a31e615937c38e746a5cf6c9d8194242990dd497a2c52af50300000000000000cebbd983c3f86dbe92c4b751c04693cb09af88521ab305ceabf6d2bab40bb1b219fbe95ace2f6c49fea798e76b4ef336dff5ac0f7ab022b800ac1aa42fd231b52465a410177ed85dcc9c6d794e2aa0b90cdc409541aa85fa16e3cbc3a9d6c83ffd4d01e5ba898555eeffccf0cb28ce5df0ba31cb793675276162de2fdcb486455bca57edf4fb14e1533554eb22527d66a28a960c430f6136927f54e670c46292454fe28485f35405025844fd24fe846f6656c77d9b5f2b4750ac4805897b02c85caba80000bb96f71f468c9e746d860238b3b113ab1eef51e1507f8832d5d69528083d44548e491477cda51d7e083a134097438e9d7ea34eae8a2e6b516327db9310c7478a37f5c562037196131cc7c84fa29c3c2576f2ae7570b5a98aaa49ca7ddfd5a8c046ce82e4a2d06082ad7a3ab0dfbe208630b1410b674781855752c9c57c1c5ab0a74a336ce89b3a9c0d37a3ca4e698a798a85faf7f4f1dc020b7dd5750062c9810c4bc1ad7afe338f2b0f29059e684fe16098eb30da105be01ca11a293635dfc6d25ecc770ba72792fd3c6851d951b770d0f9edafb1cb4241350d85b04ed737a9bfd7e8301c43b65a95dda76d6850860ba3195040b14c8ad1a8b52472787621147182352a1dbd93595cbc26e813ccd75e16f9247fe82ed150c121f0041022522ec76476f0a9cffa3be1d3ffffffffffffffff29358bbfd8b7a12fe94a0355beb9420eee0a5c11220100c782b89e9430de84b220e8c0df4bd40be3400c58f149319f891fe86fba751dab3326bf2deb9e782b37ec9c7adf36025a091a4b3600"})
executing program 3:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x100, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_REINJECT_CONTROL(r1, 0xae71, 0x0)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000040)={0x1fe, 0x1, 0x0, 0x1000, &(0x7f0000036000/0x1000)=nil})
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
setuid(0xee01)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x2}, 0x6)
write$bt_hci(r2, &(0x7f0000000200)=ANY=[@ANYBLOB="01"], 0xe)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x2000002, 0x4ca31, 0xffffffffffffffff, 0x0)
ioctl$KVM_PRE_FAULT_MEMORY(r3, 0xc040aed5, &(0x7f0000000000)={0x0, 0x11000})
capset(&(0x7f0000000040)={0x20071026}, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x81, 0xfffffff9})
r4 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x103001)
ioctl$SG_IO(r4, 0x2285, &(0x7f00000010c0)={0x53, 0xfffffffffffffffc, 0x6, 0xb0, @buffer={0x0, 0x0, 0x0}, &(0x7f0000001080)="2ebe69ae6200", 0x0, 0x1, 0x34, 0x22, 0x0})
ioctl$KVM_GET_DIRTY_LOG(r1, 0x4010ae42, &(0x7f00000001c0)={0x1fe, 0x0, &(0x7f0000feb000/0x4000)=nil})
executing program 3:
r0 = socket$inet6(0xa, 0x4, 0x1)
sendto$inet6(r0, 0x0, 0x0, 0x24048048, 0x0, 0x0)
getsockopt$inet_int(r0, 0x0, 0xe, 0x0, &(0x7f0000000500)=0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x20002000, &(0x7f0000000000/0x2000)=nil})
r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)
bind$alg(0xffffffffffffffff, &(0x7f0000000000)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb-camellia-aesni\x00'}, 0x58)
r2 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$USBDEVFS_SETINTERFACE(0xffffffffffffffff, 0x80045510, &(0x7f0000000000))
getsockopt$inet6_mptcp_buf(r2, 0x11c, 0x4, &(0x7f0000000000)=""/152, &(0x7f00000000c0)=0x98)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, &(0x7f0000000180)="420fc7bc4898580000640f01c50f01c566baf80cb864c95782ef66bafc0cec67670f1b0166b8fb008ec046d9c3c442b90a2c81c442812852fcc744240012000000c74424020b000000ff1c24", 0x4c}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_SET_REGS(r1, 0x4090ae82, &(0x7f00000005c0)={[0x5836, 0x8, 0x7, 0x4000000000000e52, 0x1, 0x5479, 0x1041, 0x200000000006, 0xfffffffffffffffd, 0x1, 0xfffffffffffffffe, 0x100000000, 0x1, 0x40000000009, 0x8000000000005, 0x10000800040068], 0xd000, 0x80})
ioctl$KVM_RUN(r1, 0xae80, 0x0)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="041817aaaaaaaaaa10"], 0x1a)
executing program 1:
r0 = syz_usb_connect(0x3, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000014da2108ab12a390eb1e000000010902240001b30000040904410017ff5d810009050f1f01040000000905830300b3"], 0x0) (async)
r1 = syz_open_dev$sndpcmp(&(0x7f0000000b00), 0x0, 0x0) (async, rerun: 32)
r2 = socket$rxrpc(0x21, 0x2, 0xa) (rerun: 32)
setsockopt$RXRPC_MIN_SECURITY_LEVEL(r2, 0x110, 0x3, &(0x7f0000000000), 0x4)
ioctl$SNDRV_PCM_IOCTL_HW_REFINE(r1, 0xc2604110, &(0x7f0000000b40)={0x0, [[0x9ef8, 0x0, 0x0, 0x0, 0x5d11], [0x10000, 0x0, 0x0, 0x0, 0x3a3], [0x7]], '\x00', [{}, {0x3, 0x8}, {0x1}, {0x0, 0x80000000}, {0x3, 0x0, 0x0, 0x1, 0x1}, {0x18, 0x5f}, {}, {0x0, 0x6}, {0x0, 0x3}, {0x0, 0xfffffffe}, {0x0, 0xbcf}, {0x0, 0x2}], '\x00', 0x1000}) (async)
syz_usb_ep_write$ath9k_ep2(r0, 0x83, 0x8, &(0x7f0000000200)=ANY=[@ANYBLOB="bcea"]) (async)
r3 = syz_open_dev$evdev(&(0x7f00000000c0), 0x40, 0x0)
ioctl$EVIOCSFF(r3, 0x40304580, &(0x7f0000000000)={0x0, 0xffff, 0x8, {0x7ff, 0xe}, {0x5, 0x4}, @cond=[{0x101, 0x0, 0x10, 0x4, 0x8, 0x2}, {0x1677, 0x2, 0x7fff, 0x100, 0xf78, 0x6}]})
executing program 3:
userfaultfd(0x80801)
socket$nl_netfilter(0x10, 0x3, 0xc)
syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
socket$inet(0x2, 0x3, 0x2)
creat(&(0x7f0000000140)='./file0\x00', 0xf1)
r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={0x0, 0x1c}}, 0x20000080)
sendmsg$NLBL_UNLABEL_C_STATICADD(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)={0x0}, 0x8, 0x3000000000002, 0x0, 0x80}, 0x0)
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000000)={[0x38, 0xfff, 0xfffffffffffffffd, 0x180, 0x2, 0x14, 0xf0, 0x0, 0x7fffffffffffe, 0x5, 0x9, 0x8, 0x0, 0x45, 0xffffffffffffffff, 0xbdb], 0xfec00000, 0x1c4213})
r3 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$FBIOPUT_VSCREENINFO(r3, 0x4601, &(0x7f0000000040)={0x190, 0x258, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {}, {}, {}, {0x0, 0x0, 0x1}})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
executing program 3:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFNL_MSG_COMPAT_GET(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000000c0)={0x14, 0x0, 0xb, 0x201, 0x0, 0x0, {0x3, 0x0, 0x1}}, 0x14}, 0x1, 0x0, 0x0, 0x24000080}, 0x10)
r1 = syz_usb_connect(0x0, 0x202, &(0x7f0000000180)=ANY=[@ANYBLOB="1201100152018b401e040740185d000000010902f00101040000030904"], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
move_pages(0x0, 0x1, &(0x7f00000001c0)=[&(0x7f0000ffd000/0x2000)=nil], &(0x7f0000000200)=[0x6], 0x0, 0x2)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000003c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_SHOW_NAME_TABLE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000280)={0x30, r3, 0x1, 0x0, 0x100000, {{}, {}, {0x14, 0x19, {0x2, 0x1, 0x0, 0x8}}}}, 0x30}, 0x1, 0x0, 0x0, 0x404c0c0}, 0x9004)
syz_usb_control_io$sierra_net(r1, 0x0, &(0x7f0000000200)={0x1c, &(0x7f0000000140)={0x40, 0x15}, 0x0, 0x0})
executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000280), 0x0, 0x0)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$gtp(&(0x7f0000000040), 0xffffffffffffffff)
sendmsg$GTP_CMD_GETPDP(r1, &(0x7f0000000100)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x18400700}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x1c, r2, 0x8, 0x70bd2a, 0x25dfdbff, {}, [@GTPA_O_TEI={0x8, 0x9, 0x3}]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000800}, 0x0)
madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00003, 0x8)
executing program 1:
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r1 = socket$nl_audit(0x10, 0x3, 0x9)
r2 = socket$inet6_sctp(0xa, 0x1, 0x84)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
shutdown(r3, 0x0)
close(0x3)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r3, 0x84, 0x6f, &(0x7f0000000180)={<r4=>0x0, 0x1c, &(0x7f0000000100)=[@in6={0xa, 0x4e21, 0xfffe, @ipv4={'\x00', '\xff\xff', @rand_addr=0x64010104}, 0x3}]}, &(0x7f0000000140)=0x10)
getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r3, 0x84, 0x7a, &(0x7f0000000340)={r4, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84)
setsockopt(r2, 0x84, 0x81, &(0x7f0000000280)="1a00000002000000", 0x8)
ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f00000000c0)={'batadv_slave_1\x00', &(0x7f0000000000)=@ethtool_gstrings={0x1b, 0x1}})
ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000080)=0xf)
ioctl$TCFLSH(r0, 0x400455c8, 0x9)
ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000000)=0x1)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19)
r5 = userfaultfd(0x80801)
ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x749})
ioctl$UFFDIO_REGISTER(r5, 0xc020aa00, &(0x7f0000000080)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
r6 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_UMEM_REG(r6, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/65, 0x328000, 0x800}, 0x20)
r7 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r7, &(0x7f0000000040)={0xa, 0xe22}, 0x1c)
connect$inet6(r7, &(0x7f0000000100)={0x2, 0x4e23, 0x0, @mcast1, 0x4}, 0x1c)
r8 = socket$netlink(0x10, 0x3, 0x8000000004)
writev(r8, &(0x7f0000001200)=[{&(0x7f0000000080)="580000001400add427323b472545b45602117fffffff81004e230e227f000001925aa80020007b00090080007f000001e809000000ff0000f03ac710aa7d0000ffffffffffffffffffe7ee00000000000000000200000000", 0x58}], 0x1)
mbind(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x3, &(0x7f0000000000)=0x9, 0x8, 0x0)
ioctl$BTRFS_IOC_WAIT_SYNC(r5, 0x40089416, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
mbind(&(0x7f0000051000/0x4000)=nil, 0x4000, 0x3, &(0x7f0000000080)=0x2, 0x95, 0x2)

program did not crash
replaying the whole log did not cause a kernel crash
single: executing 4 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$ptmx-socket$nl_audit-socket$inet6_sctp-socket$inet6_sctp-shutdown-close-getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3-getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR-setsockopt-ioctl$sock_SIOCETHTOOL-ioctl$TIOCSETD-ioctl$TCFLSH-ioctl$TIOCSTI-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-socket$xdp-setsockopt$XDP_UMEM_REG-socket$inet6-bind$inet6-connect$inet6-socket$netlink-writev-mbind-ioctl$BTRFS_IOC_WAIT_SYNC-socket$nl_generic-mbind
detailed listing:
executing program 0:
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r1 = socket$nl_audit(0x10, 0x3, 0x9)
r2 = socket$inet6_sctp(0xa, 0x1, 0x84)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
shutdown(r3, 0x0)
close(0x3)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r3, 0x84, 0x6f, &(0x7f0000000180)={<r4=>0x0, 0x1c, &(0x7f0000000100)=[@in6={0xa, 0x4e21, 0xfffe, @ipv4={'\x00', '\xff\xff', @rand_addr=0x64010104}, 0x3}]}, &(0x7f0000000140)=0x10)
getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r3, 0x84, 0x7a, &(0x7f0000000340)={r4, @in6={{0xa, 0x3, 0x4, @mcast1}}}, &(0x7f0000000040)=0x84)
setsockopt(r2, 0x84, 0x81, &(0x7f0000000280)="1a00000002000000", 0x8)
ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f00000000c0)={'batadv_slave_1\x00', &(0x7f0000000000)=@ethtool_gstrings={0x1b, 0x1}})
ioctl$TIOCSETD(r0, 0x5423, &(0x7f0000000080)=0xf)
ioctl$TCFLSH(r0, 0x400455c8, 0x9)
ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000000)=0x1)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19)
r5 = userfaultfd(0x80801)
ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x749})
ioctl$UFFDIO_REGISTER(r5, 0xc020aa00, &(0x7f0000000080)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1})
r6 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_UMEM_REG(r6, 0x11b, 0x4, &(0x7f00000000c0)={&(0x7f0000000000)=""/65, 0x328000, 0x800}, 0x20)
r7 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r7, &(0x7f0000000040)={0xa, 0xe22}, 0x1c)
connect$inet6(r7, &(0x7f0000000100)={0x2, 0x4e23, 0x0, @mcast1, 0x4}, 0x1c)
r8 = socket$netlink(0x10, 0x3, 0x8000000004)
writev(r8, &(0x7f0000001200)=[{&(0x7f0000000080)="580000001400add427323b472545b45602117fffffff81004e230e227f000001925aa80020007b00090080007f000001e809000000ff0000f03ac710aa7d0000ffffffffffffffffffe7ee00000000000000000200000000", 0x58}], 0x1)
mbind(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x3, &(0x7f0000000000)=0x9, 0x8, 0x0)
ioctl$BTRFS_IOC_WAIT_SYNC(r5, 0x40089416, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
mbind(&(0x7f0000051000/0x4000)=nil, 0x4000, 0x3, &(0x7f0000000080)=0x2, 0x95, 0x2)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_netfilter-sendmsg$NFNL_MSG_COMPAT_GET-syz_usb_connect-syz_usb_control_io$hid-socket$nl_generic-move_pages-syz_genetlink_get_family_id$tipc-sendmsg$TIPC_CMD_SHOW_NAME_TABLE-syz_usb_control_io$sierra_net
detailed listing:
executing program 0:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFNL_MSG_COMPAT_GET(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000000c0)={0x14, 0x0, 0xb, 0x201, 0x0, 0x0, {0x3, 0x0, 0x1}}, 0x14}, 0x1, 0x0, 0x0, 0x24000080}, 0x10)
r1 = syz_usb_connect(0x0, 0x202, &(0x7f0000000180)=ANY=[@ANYBLOB="1201100152018b401e040740185d000000010902f00101040000030904"], 0x0)
syz_usb_control_io$hid(r1, 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
move_pages(0x0, 0x1, &(0x7f00000001c0)=[&(0x7f0000ffd000/0x2000)=nil], &(0x7f0000000200)=[0x6], 0x0, 0x2)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000003c0), 0xffffffffffffffff)
sendmsg$TIPC_CMD_SHOW_NAME_TABLE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000280)={0x30, r3, 0x1, 0x0, 0x100000, {{}, {}, {0x14, 0x19, {0x2, 0x1, 0x0, 0x8}}}}, 0x30}, 0x1, 0x0, 0x0, 0x404c0c0}, 0x9004)
syz_usb_control_io$sierra_net(r1, 0x0, &(0x7f0000000200)={0x1c, &(0x7f0000000140)={0x40, 0x15}, 0x0, 0x0})

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH-write$tun-syz_open_dev$video-ioctl$VIDIOC_ENUM_FRAMEINTERVALS-syz_usb_control_io$hid-syz_usb_control_io$uac1-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)
r11 = syz_open_dev$video(&(0x7f0000000240), 0x75, 0x700)
ioctl$VIDIOC_ENUM_FRAMEINTERVALS(r11, 0xc034564b, &(0x7f0000000040)={0x0, 0x42474752, 0x780, 0x438, 0x3, @stepwise={{0x2, 0x7ffd}, {0x2, 0xfff}, {0x5, 0xd}}})
syz_usb_control_io$hid(r2, 0x0, 0x0)
syz_usb_control_io$uac1(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000200)={0x2c, &(0x7f0000000080)={0x40, 0x0, 0x6d, {0x6d, 0x9, "bdb13dfb44b37c08c39d12ffa735d939196ab6477ac89ced78ccff173c8813580b971887eba0eee5692a2882303f5eb1b780b70505adcb45f4524aadc71176d27d583a1ac8bb2cddbb578fc3efe12de33bb62965a8aa1129b36ad15dbbdca1d8a1848127d6d82487d60637"}}, &(0x7f0000000680)=ANY=[@ANYBLOB="00031000e5c2b2ac010a9df61e82e4ee5eb66e8f12c5d6e914646b6e794100"], &(0x7f0000000140)={0x0, 0xf, 0x2d, {0x5, 0xf, 0x2d, 0x2, [@ssp_cap={0x10, 0x10, 0xa, 0xaf, 0x1, 0xff, 0xf, 0x7, [0xc0]}, @ssp_cap={0x18, 0x10, 0xa, 0x7, 0x3, 0xb507, 0x1100, 0x1c94, [0xffc0, 0xc0, 0xffc000]}]}}, &(0x7f0000000180)={0x20, 0x29, 0xf, {0xf, 0x29, 0xf, 0x1, 0x2, 0x6d, "0fdbcd95", "d0cdc9a6"}}, &(0x7f00000001c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xfb, 0x10, 0x2, 0x3, 0x5, 0x2, 0x8}}}, &(0x7f00000008c0)={0x84, &(0x7f0000000240)={0x40, 0x1, 0xb3, "1b43e62ee6f30a891f3d615d8a6c75e1d31dad1bb642ad37acf4e3eff155e9e7464e45e3b53084e1df913377bb97de43629d7373bd40a308179ba18408a0d25e1b40eaed1c4703d846b706a717d05c637c16b85b8560be10f5b60e6ffc918ed5ce7fabd4bf9c7f8244b1019a7893c03f5f85ed1dec5e0d663ac32cdc8c537dcb81f983069e7da5f370086aeecc89cb6ab3a3ce78ba51ab779bb024116c1cc56d282324278a049025a19797565039fd5f2b32e0"}, &(0x7f0000000a40)={0x0, 0xa, 0x1, 0x1}, &(0x7f0000000500)={0x0, 0x8, 0x1, 0xfe}, &(0x7f0000000540)={0x20, 0x0, 0x4, {0x1, 0x2}}, &(0x7f00000005c0)={0x20, 0x0, 0x8, {0x20, 0x8, [0xff]}}, &(0x7f0000000600)={0x40, 0x7, 0x2}, &(0x7f0000000640)={0x40, 0x9, 0x1, 0x9}, &(0x7f0000000580)={0x40, 0xb, 0x2, "caf4"}, &(0x7f00000006c0)={0x40, 0xf, 0x2, 0x10}, &(0x7f0000000700)={0x40, 0x13, 0x6, @local}, &(0x7f0000000740)={0x40, 0x17, 0x6, @local}, &(0x7f0000000780)={0x40, 0x19, 0x2, "76b4"}, &(0x7f00000007c0)={0x40, 0x1a, 0x2, 0x8000}, &(0x7f0000000800)={0x40, 0x1c, 0x1}, &(0x7f0000000840)={0x40, 0x1e, 0x1, 0x1}, &(0x7f0000000880)={0x40, 0x21, 0x1, 0xf2}})
syz_usb_control_io$hid(r2, 0x0, 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
single: successfully extracted reproducer
found reproducer with 29 syscalls
minimizing guilty program
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH-write$tun-syz_open_dev$video-ioctl$VIDIOC_ENUM_FRAMEINTERVALS-syz_usb_control_io$hid-syz_usb_control_io$uac1-syz_usb_control_io
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)
r11 = syz_open_dev$video(&(0x7f0000000240), 0x75, 0x700)
ioctl$VIDIOC_ENUM_FRAMEINTERVALS(r11, 0xc034564b, &(0x7f0000000040)={0x0, 0x42474752, 0x780, 0x438, 0x3, @stepwise={{0x2, 0x7ffd}, {0x2, 0xfff}, {0x5, 0xd}}})
syz_usb_control_io$hid(r2, 0x0, 0x0)
syz_usb_control_io$uac1(r2, 0x0, 0x0)
syz_usb_control_io(r2, &(0x7f0000000200)={0x2c, &(0x7f0000000080)={0x40, 0x0, 0x6d, {0x6d, 0x9, "bdb13dfb44b37c08c39d12ffa735d939196ab6477ac89ced78ccff173c8813580b971887eba0eee5692a2882303f5eb1b780b70505adcb45f4524aadc71176d27d583a1ac8bb2cddbb578fc3efe12de33bb62965a8aa1129b36ad15dbbdca1d8a1848127d6d82487d60637"}}, &(0x7f0000000680)=ANY=[@ANYBLOB="00031000e5c2b2ac010a9df61e82e4ee5eb66e8f12c5d6e914646b6e794100"], &(0x7f0000000140)={0x0, 0xf, 0x2d, {0x5, 0xf, 0x2d, 0x2, [@ssp_cap={0x10, 0x10, 0xa, 0xaf, 0x1, 0xff, 0xf, 0x7, [0xc0]}, @ssp_cap={0x18, 0x10, 0xa, 0x7, 0x3, 0xb507, 0x1100, 0x1c94, [0xffc0, 0xc0, 0xffc000]}]}}, &(0x7f0000000180)={0x20, 0x29, 0xf, {0xf, 0x29, 0xf, 0x1, 0x2, 0x6d, "0fdbcd95", "d0cdc9a6"}}, &(0x7f00000001c0)={0x20, 0x2a, 0xc, {0xc, 0x2a, 0xfb, 0x10, 0x2, 0x3, 0x5, 0x2, 0x8}}}, &(0x7f00000008c0)={0x84, &(0x7f0000000240)={0x40, 0x1, 0xb3, "1b43e62ee6f30a891f3d615d8a6c75e1d31dad1bb642ad37acf4e3eff155e9e7464e45e3b53084e1df913377bb97de43629d7373bd40a308179ba18408a0d25e1b40eaed1c4703d846b706a717d05c637c16b85b8560be10f5b60e6ffc918ed5ce7fabd4bf9c7f8244b1019a7893c03f5f85ed1dec5e0d663ac32cdc8c537dcb81f983069e7da5f370086aeecc89cb6ab3a3ce78ba51ab779bb024116c1cc56d282324278a049025a19797565039fd5f2b32e0"}, &(0x7f0000000a40)={0x0, 0xa, 0x1, 0x1}, &(0x7f0000000500)={0x0, 0x8, 0x1, 0xfe}, &(0x7f0000000540)={0x20, 0x0, 0x4, {0x1, 0x2}}, &(0x7f00000005c0)={0x20, 0x0, 0x8, {0x20, 0x8, [0xff]}}, &(0x7f0000000600)={0x40, 0x7, 0x2}, &(0x7f0000000640)={0x40, 0x9, 0x1, 0x9}, &(0x7f0000000580)={0x40, 0xb, 0x2, "caf4"}, &(0x7f00000006c0)={0x40, 0xf, 0x2, 0x10}, &(0x7f0000000700)={0x40, 0x13, 0x6, @local}, &(0x7f0000000740)={0x40, 0x17, 0x6, @local}, &(0x7f0000000780)={0x40, 0x19, 0x2, "76b4"}, &(0x7f00000007c0)={0x40, 0x1a, 0x2, 0x8000}, &(0x7f0000000800)={0x40, 0x1c, 0x1}, &(0x7f0000000840)={0x40, 0x1e, 0x1, 0x1}, &(0x7f0000000880)={0x40, 0x21, 0x1, 0xf2}})

program crashed: KASAN: slab-out-of-bounds Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH-write$tun-syz_open_dev$video-ioctl$VIDIOC_ENUM_FRAMEINTERVALS-syz_usb_control_io$hid-syz_usb_control_io$uac1
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)
r11 = syz_open_dev$video(&(0x7f0000000240), 0x75, 0x700)
ioctl$VIDIOC_ENUM_FRAMEINTERVALS(r11, 0xc034564b, &(0x7f0000000040)={0x0, 0x42474752, 0x780, 0x438, 0x3, @stepwise={{0x2, 0x7ffd}, {0x2, 0xfff}, {0x5, 0xd}}})
syz_usb_control_io$hid(r2, 0x0, 0x0)
syz_usb_control_io$uac1(r2, 0x0, 0x0)

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH-write$tun-syz_open_dev$video-ioctl$VIDIOC_ENUM_FRAMEINTERVALS-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)
r11 = syz_open_dev$video(&(0x7f0000000240), 0x75, 0x700)
ioctl$VIDIOC_ENUM_FRAMEINTERVALS(r11, 0xc034564b, &(0x7f0000000040)={0x0, 0x42474752, 0x780, 0x438, 0x3, @stepwise={{0x2, 0x7ffd}, {0x2, 0xfff}, {0x5, 0xd}}})
syz_usb_control_io$hid(r2, 0x0, 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH-write$tun-syz_open_dev$video-ioctl$VIDIOC_ENUM_FRAMEINTERVALS
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)
r11 = syz_open_dev$video(&(0x7f0000000240), 0x75, 0x700)
ioctl$VIDIOC_ENUM_FRAMEINTERVALS(r11, 0xc034564b, &(0x7f0000000040)={0x0, 0x42474752, 0x780, 0x438, 0x3, @stepwise={{0x2, 0x7ffd}, {0x2, 0xfff}, {0x5, 0xd}}})

program crashed: BUG: corrupted list in em28xx_init_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH-write$tun-syz_open_dev$video
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)
syz_open_dev$video(&(0x7f0000000240), 0x75, 0x700)

program crashed: BUG: corrupted list in em28xx_init_extension
program crashed: KASAN: use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH-write$tun
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))
write$tun(r4, &(0x7f0000000ec0)={@val={0x8, 0x800}, @val={0x3, 0x0, 0x4, 0x1, 0x14}, @ipv4=@generic={{0x6, 0x4, 0x1, 0x27, 0x20, 0x65, 0x0, 0x60, 0x2, 0x0, @initdev={0xac, 0x1e, 0xc, 0x0}, @broadcast, {[@noop]}}, "11f3305280f125e6"}}, 0x2e)

program crashed: KASAN: use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT-getsockopt$TIPC_SOCK_RECVQ_DEPTH
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000)={<r9=>0xffffffffffffffff})
r10 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r10, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r10, 0x89e0, &(0x7f0000000480))
getsockopt$TIPC_SOCK_RECVQ_DEPTH(r9, 0x10f, 0x84, 0x0, &(0x7f0000000080))

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg-ioctl$SIOCPNGETOBJECT
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000))
r9 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r9, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)
ioctl$SIOCPNGETOBJECT(r9, 0x89e0, &(0x7f0000000480))

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe-setsockopt$SO_BINDTODEVICE_wg
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000))
r9 = socket$phonet_pipe(0x23, 0x5, 0x2)
setsockopt$SO_BINDTODEVICE_wg(r9, 0x1, 0x19, &(0x7f0000000040)='wg2\x00', 0x4)

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc-socket$phonet_pipe
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000))
socket$phonet_pipe(0x23, 0x5, 0x2)

program crashed: BUG: corrupted list in em28xx_init_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR-socketpair$tipc
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})
socketpair$tipc(0x1e, 0x2, 0x0, &(0x7f0000000000))

program crashed: KASAN: use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm-ioctl$SIOCSIFHWADDR
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
r8 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r8, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast})

program crashed: BUG: corrupted list in em28xx_init_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan-socket$kcm
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)
socket$kcm(0x2, 0x3, 0x2)

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base-ioctl$ifreq_SIOCGIFINDEX_vcan
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
r7 = socket$isdn_base(0x22, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, 0x0)

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC-socket$isdn_base
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)
socket$isdn_base(0x22, 0x3, 0x0)

program crashed: KASAN: use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6-sendmsg$SEG6_CMD_SETHMAC
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)
sendmsg$SEG6_CMD_SETHMAC(r5, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="0100000000000000000001000000050005000100000008000400000000000500060000000000080003"], 0x34}}, 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic-syz_genetlink_get_family_id$SEG6
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$SEG6(&(0x7f0000000080), 0xffffffffffffffff)

program crashed: KASAN: slab-use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF-socket$nl_generic
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
socket$nl_generic(0x10, 0x3, 0x10)

program crashed: KASAN: slab-use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun-ioctl$TUNSETIFF
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS-openat$tun
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp-getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r3, 0x84, 0x1a, 0x0, &(0x7f0000000100))

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io-socket$inet6_sctp
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)
socket$inet6_sctp(0xa, 0x5, 0x84)

program crashed: KASAN: slab-use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect-syz_usb_control_io
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
r2 = syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)
syz_usb_control_io(r2, 0x0, 0x0)

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals-syz_usb_connect
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: KASAN: slab-use-after-free Read in em28xx_init_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-fcntl$addseals
detailed listing:
executing program 0:
r0 = memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r1 = socket(0x10, 0x3, 0x0)
write(r1, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
fcntl$addseals(r0, 0x409, 0x5)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-write-syz_usb_connect
detailed listing:
executing program 0:
memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
r0 = socket(0x10, 0x3, 0x0)
write(r0, &(0x7f00000000c0)="3c00000058001f00032ae4f9002304000a04d65f080001000201000217d1ae3b70b0406700912deb5b859322340b0100000078f72e230a19fb2bcb1d", 0x3c)
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: KASAN: use-after-free Read in em28xx_init_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-socket-syz_usb_connect
detailed listing:
executing program 0:
memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
socket(0x10, 0x3, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: KASAN: use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): memfd_create-syz_usb_connect
detailed listing:
executing program 0:
memfd_create(&(0x7f0000000300)='+\x8b\x8a\x16\x11O\xdd\xdfk(F\x99\xdf\x92\xd5>oJ\x02u\x9b\xafa\xac\x06\x9c&\xf5\xe3j\xfa\tcqM\xb8R\x86\xd9\xd2.\x9f\x12\xed\x10\f\xbd\x1a|\x8a\xbb\xda\xcfY\x98gU@\xf2M\xc0\xb5\xdf\x9a\x8d\xdb,n\xae\x0eT\x80\x8c\xfd\xd7\xb0\x94\x82t\x96\rKx\xc5\x9b\x8c\x87\x96\x8bc\xbc\xee\xcc\x9f\xe3F\x99V4\x8e;M\xa9\x823\xe3\xb3mG\x8f\xdb\xed\x1b\x05\xec\xfc\xd1\xb5\xfd\xec@\xdeU\xdd\xa4\xc1\xe4L)\x8e\xe5\x91\x8e\xd4\x89\xef\x95T\x05G\xac\xb8\xc1: )mh\xc7\xf1?\xbb\x13;\xad\x95\xd70\xb6\x0e\x7f\x84r\x0e\xbf\xc5\xf6\xd4\xdd\t\x14\x18\xf7\xefi\x93\x03\xd2\xf2\bK\"\xd2\xb5\xaa\xb8\xc8\xe0\xac\x99\xe8su\xcd\xc3E\x12\xd7\xdd\x96!\x16Tu\xe3\xf0\x84#R\xd9\xe3~Wj\xb0r\x87\'\xea\a\xcfOeK\x9daW\xf4\x87@\x9c\xf3\xf1K\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x91\xe6\xdb\xc2\xa5h\'\xdfIn\x97\x0263~\xeb\xbe(i\n\xc2k4\x7f\x12\xa9e`SOs\x8c\xb4\xe7FeQ\xc6$\x92j_U\xfa\b\xea\xb0bYkW\xc0\x05\aC{\xcc\x03T\x17\xa5Sk\x87P\xc2\x97D\xb2\xfa\x1b\x9fe\xf4\x10\x1a\xad\x92\xce\x88\x1b\xbc\xe14\x19\xaa\xd3\r\xf4\xa2\xc3\x9e=\xa0 \xe6j\xe5\x85\xf8\x97\x03\x15\xaa\x920\xdcrI\xd8\b\xfb\xc7\xe7xX\x00>d\xbb\xa71\xad\x9a\xfb\xe6\x13\x87\x93\\\xe5W-\xfc\xfd\xb8O\xb9j\xb8\xf2\x9dx\xb2\x86\xad\x92', 0x3)
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: KASAN: use-after-free Read in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_close_extension
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, 0x0, 0x0)

program did not crash
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB], 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in em28xx_close_extension
simplifying C reproducer
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_close_extension
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-out-of-bounds Read in em28xx_init_extension
a never seen crash title: KASAN: slab-out-of-bounds Read in em28xx_init_extension, ignore
testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
validation run: crashed=true
testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
validation run: crashed=true
testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f00000009c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b0001f6000000090400000190f19c000905f3ed8295091f8fee2efe39472f1ea3227d052d7556c97a470fa22bee95e09780953cc585369ad5511fb3243191c3"], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
validation run: crashed=true
reproducing took 2h1m2.422395565s
repro crashed as (corrupted=false):
em28xx 1-1:246.0: AC97 chip type couldn't be determined
em28xx 1-1:246.0: No AC97 audio processor
 non-slab/vmalloc memory
list_add corruption. prev->next should be next (ffffffff8fc129e0), but was ffffffff8982ba1d. (prev=ffff888057e1c250).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:34!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 5901 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid_or_report+0x123/0x130 lib/list_debug.c:32
Code: e8 a2 87 48 fd 43 80 3c 2c 00 74 08 4c 89 f7 e8 e3 24 6a fd 49 8b 16 48 c7 c7 60 89 4a 8c 48 89 de 4c 89 f1 e8 8e 7d 61 fc 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003bd6b20 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffffffff8fc129e0 RCX: 66afd6c0bc5ade00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 1ffffffff1f8253d R08: ffffc90003bd68a7 R09: 1ffff9200077ad14
R10: dffffc0000000000 R11: fffff5200077ad15 R12: 1ffff1100afc384a
R13: dffffc0000000000 R14: ffff888057e1c250 R15: ffff88802d678250
FS:  0000000000000000(0000) GS:ffff888124ee1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30d63fff CR3: 000000005dbec000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add_tail include/linux/list.h:191 [inline]
 em28xx_init_extension+0x56/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1114
 em28xx_init_dev+0xc01/0x3280 drivers/media/usb/em28xx/em28xx-cards.c:3686
 em28xx_usb_probe+0x157b/0x2b10 drivers/media/usb/em28xx/em28xx-cards.c:4041
 usb_probe_interface+0x668/0xc90 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:721
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:863
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:893
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1021
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1093
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3692
 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:721
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:863
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:893
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1021
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1093
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3692
 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953
 process_one_work+0x9ab/0x1780 kernel/workqueue.c:3288
 process_scheduled_works kernel/workqueue.c:3379 [inline]
 worker_thread+0xbee/0x11e0 kernel/workqueue.c:3465
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0x123/0x130 lib/list_debug.c:32
Code: e8 a2 87 48 fd 43 80 3c 2c 00 74 08 4c 89 f7 e8 e3 24 6a fd 49 8b 16 48 c7 c7 60 89 4a 8c 48 89 de 4c 89 f1 e8 8e 7d 61 fc 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003bd6b20 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffffffff8fc129e0 RCX: 66afd6c0bc5ade00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 1ffffffff1f8253d R08: ffffc90003bd68a7 R09: 1ffff9200077ad14
R10: dffffc0000000000 R11: fffff5200077ad15 R12: 1ffff1100afc384a
R13: dffffc0000000000 R14: ffff888057e1c250 R15: ffff88802d678250
FS:  0000000000000000(0000) GS:ffff888124ee1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30d63fff CR3: 000000005e3ee000 CR4: 00000000003526f0

final repro crashed as (corrupted=false):
em28xx 1-1:246.0: AC97 chip type couldn't be determined
em28xx 1-1:246.0: No AC97 audio processor
 non-slab/vmalloc memory
list_add corruption. prev->next should be next (ffffffff8fc129e0), but was ffffffff8982ba1d. (prev=ffff888057e1c250).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:34!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 5901 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid_or_report+0x123/0x130 lib/list_debug.c:32
Code: e8 a2 87 48 fd 43 80 3c 2c 00 74 08 4c 89 f7 e8 e3 24 6a fd 49 8b 16 48 c7 c7 60 89 4a 8c 48 89 de 4c 89 f1 e8 8e 7d 61 fc 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003bd6b20 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffffffff8fc129e0 RCX: 66afd6c0bc5ade00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 1ffffffff1f8253d R08: ffffc90003bd68a7 R09: 1ffff9200077ad14
R10: dffffc0000000000 R11: fffff5200077ad15 R12: 1ffff1100afc384a
R13: dffffc0000000000 R14: ffff888057e1c250 R15: ffff88802d678250
FS:  0000000000000000(0000) GS:ffff888124ee1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30d63fff CR3: 000000005dbec000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add_tail include/linux/list.h:191 [inline]
 em28xx_init_extension+0x56/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1114
 em28xx_init_dev+0xc01/0x3280 drivers/media/usb/em28xx/em28xx-cards.c:3686
 em28xx_usb_probe+0x157b/0x2b10 drivers/media/usb/em28xx/em28xx-cards.c:4041
 usb_probe_interface+0x668/0xc90 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:721
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:863
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:893
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1021
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1093
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3692
 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:721
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:863
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:893
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1021
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1093
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3692
 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953
 process_one_work+0x9ab/0x1780 kernel/workqueue.c:3288
 process_scheduled_works kernel/workqueue.c:3379 [inline]
 worker_thread+0xbee/0x11e0 kernel/workqueue.c:3465
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0x123/0x130 lib/list_debug.c:32
Code: e8 a2 87 48 fd 43 80 3c 2c 00 74 08 4c 89 f7 e8 e3 24 6a fd 49 8b 16 48 c7 c7 60 89 4a 8c 48 89 de 4c 89 f1 e8 8e 7d 61 fc 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003bd6b20 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffffffff8fc129e0 RCX: 66afd6c0bc5ade00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 1ffffffff1f8253d R08: ffffc90003bd68a7 R09: 1ffff9200077ad14
R10: dffffc0000000000 R11: fffff5200077ad15 R12: 1ffff1100afc384a
R13: dffffc0000000000 R14: ffff888057e1c250 R15: ffff88802d678250
FS:  0000000000000000(0000) GS:ffff888124ee1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30d63fff CR3: 000000005e3ee000 CR4: 00000000003526f0