Extracting prog: 2m7.163132114s Minimizing prog: 15m59.981315705s Simplifying prog options: 0s Extracting C: 25.00481817s Simplifying C: 6m56.573774341s extracting reproducer from 1 programs testing a last program of every proc single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program did not crash single: failed to extract reproducer single: executing 1 programs separately with timeout 1m40s testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write single: successfully extracted reproducer found reproducer with 3 syscalls minimizing guilty program testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) writev(0xffffffffffffffff, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$I2C-writev detailed listing: executing program 0: r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, 0x0, 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(0x0, 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, 0x0, 0x0) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{0x0}], 0x1) program did not crash testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)}], 0x1) program did not crash extracting C reproducer testing compiled C program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write simplifying C reproducer testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev program did not crash testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write testing compiled C program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write validation run: crashed=true testing program (duration=1m40s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-syz_open_dev$I2C-writev detailed listing: executing program 0: syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000034276d20402003c68e01000000010902120001000000000904"], 0x0) r0 = syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x402) writev(r0, &(0x7f0000000180)=[{&(0x7f0000000040)="e26c", 0x2}], 0x1) program crashed: BUG: unable to handle kernel paging request in dvb_usbv2_generic_write validation run: crashed=true reproducing took 29m10.279212421s repro crashed as (corrupted=false): misc raw-gadget: fail, usb_gadget_register_driver returned -16 Unable to handle kernel paging request at virtual address dfff800000000018 KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000018] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 5181 Comm: syz.4.105 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __mutex_lock_common kernel/locking/mutex.c:625 [inline] pc : __mutex_lock+0x120/0xed0 kernel/locking/mutex.c:820 lr : __mutex_lock_common kernel/locking/mutex.c:623 [inline] lr : __mutex_lock+0xf8/0xed0 kernel/locking/mutex.c:820 sp : ffff8000952171e0 x29: ffff800095217350 x28: dfff800000000000 x27: ffff800083b12770 x26: ffff8000952172a8 x25: ffff8000952172a0 x24: 0000000000000000 x23: 0000000000000000 x22: ffff8000952172c0 x21: ffff700012a42e50 x20: ffff0000ede6b150 x19: 0000000000000068 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000020000040 x14: 0000000000000001 x13: 0000000000000005 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000003 x9 : 0000000000000003 x8 : 0000000000000018 x7 : 0000000000000000 x6 : 000000000000001a x5 : ffff0000ede6b153 x4 : 0000000000000000 x3 : 0000000000000020 x2 : 0000000000000000 x1 : ffff0000cd399d00 x0 : 0000000000000000 Call trace: __mutex_lock_common kernel/locking/mutex.c:625 [inline] (P) __mutex_lock+0x120/0xed0 kernel/locking/mutex.c:820 (P) mutex_lock_nested+0x24/0x30 kernel/locking/mutex.c:873 dvb_usbv2_generic_write+0x30/0x6c drivers/media/usb/dvb-usb-v2/dvb_usb_urb.c:77 mxl111sf_ctrl_msg+0x128/0x2cc drivers/media/usb/dvb-usb-v2/mxl111sf.c:73 mxl111sf_write_reg+0xb0/0x1c0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:123 mxl111sf_i2c_start drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:130 [inline] mxl111sf_i2c_sw_xfer_msg drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:-1 [inline] mxl111sf_i2c_xfer+0x3e8/0x2ffc drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:813 __i2c_transfer+0x610/0x1c6c drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x1cc/0x2e0 drivers/i2c/i2c-core-base.c:2316 i2c_transfer_buffer_flags+0xec/0x18c drivers/i2c/i2c-core-base.c:2344 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x114/0x1d8 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1 vfs_writev+0x2c8/0x630 fs/read_write.c:1061 do_writev+0x134/0x2a8 fs/read_write.c:1105 __do_sys_writev fs/read_write.c:1173 [inline] __se_sys_writev fs/read_write.c:1170 [inline] __arm64_sys_writev+0x80/0x94 fs/read_write.c:1170 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Code: b94ce108 35000148 91016268 d343fd08 (387c6908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: b94ce108 ldr w8, [x8, #3296] 4: 35000148 cbnz w8, 0x2c 8: 91016268 add x8, x19, #0x58 c: d343fd08 lsr x8, x8, #3 * 10: 387c6908 ldrb w8, [x8, x28] <-- trapping instruction final repro crashed as (corrupted=false): misc raw-gadget: fail, usb_gadget_register_driver returned -16 Unable to handle kernel paging request at virtual address dfff800000000018 KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000018] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 5181 Comm: syz.4.105 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __mutex_lock_common kernel/locking/mutex.c:625 [inline] pc : __mutex_lock+0x120/0xed0 kernel/locking/mutex.c:820 lr : __mutex_lock_common kernel/locking/mutex.c:623 [inline] lr : __mutex_lock+0xf8/0xed0 kernel/locking/mutex.c:820 sp : ffff8000952171e0 x29: ffff800095217350 x28: dfff800000000000 x27: ffff800083b12770 x26: ffff8000952172a8 x25: ffff8000952172a0 x24: 0000000000000000 x23: 0000000000000000 x22: ffff8000952172c0 x21: ffff700012a42e50 x20: ffff0000ede6b150 x19: 0000000000000068 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000020000040 x14: 0000000000000001 x13: 0000000000000005 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000003 x9 : 0000000000000003 x8 : 0000000000000018 x7 : 0000000000000000 x6 : 000000000000001a x5 : ffff0000ede6b153 x4 : 0000000000000000 x3 : 0000000000000020 x2 : 0000000000000000 x1 : ffff0000cd399d00 x0 : 0000000000000000 Call trace: __mutex_lock_common kernel/locking/mutex.c:625 [inline] (P) __mutex_lock+0x120/0xed0 kernel/locking/mutex.c:820 (P) mutex_lock_nested+0x24/0x30 kernel/locking/mutex.c:873 dvb_usbv2_generic_write+0x30/0x6c drivers/media/usb/dvb-usb-v2/dvb_usb_urb.c:77 mxl111sf_ctrl_msg+0x128/0x2cc drivers/media/usb/dvb-usb-v2/mxl111sf.c:73 mxl111sf_write_reg+0xb0/0x1c0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:123 mxl111sf_i2c_start drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:130 [inline] mxl111sf_i2c_sw_xfer_msg drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:-1 [inline] mxl111sf_i2c_xfer+0x3e8/0x2ffc drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:813 __i2c_transfer+0x610/0x1c6c drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x1cc/0x2e0 drivers/i2c/i2c-core-base.c:2316 i2c_transfer_buffer_flags+0xec/0x18c drivers/i2c/i2c-core-base.c:2344 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x114/0x1d8 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1 vfs_writev+0x2c8/0x630 fs/read_write.c:1061 do_writev+0x134/0x2a8 fs/read_write.c:1105 __do_sys_writev fs/read_write.c:1173 [inline] __se_sys_writev fs/read_write.c:1170 [inline] __arm64_sys_writev+0x80/0x94 fs/read_write.c:1170 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 Code: b94ce108 35000148 91016268 d343fd08 (387c6908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: b94ce108 ldr w8, [x8, #3296] 4: 35000148 cbnz w8, 0x2c 8: 91016268 add x8, x19, #0x58 c: d343fd08 lsr x8, x8, #3 * 10: 387c6908 ldrb w8, [x8, x28] <-- trapping instruction