Extracting prog: 1m23.929970565s
Minimizing prog: 1m13.334737247s
Simplifying prog options: 0s
Extracting C: 18.862494914s
Simplifying C: 3m41.135937467s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x48, &(0x7f0000000800)={{0x12, 0x1, 0x110, 0xa8, 0xa5, 0xaf, 0x20, 0x2040, 0xb900, 0xc159, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x36, 0x3, 0x7, 0x5, 0x60, 0xf, "", [{{0x9, 0x4, 0x7c, 0x23, 0x0, 0x53, 0x5c, 0x28, 0x2}}, {{0x9, 0x4, 0x0, 0xa3, 0x2, 0xda, 0x38, 0xad, 0xf2, [], [{{0x9, 0x5, 0x85, 0x2, 0x8, 0x6, 0xd, 0xc0}}, {{0x9, 0x5, 0x9, 0x14, 0x200, 0x8, 0x5, 0x7d}}]}}, {{0x9, 0x4, 0x34, 0x10, 0x0, 0x6, 0x81, 0x76, 0x6}}]}}]}}, 0x0)

program crashed: lost connection to test machine
program crashed: WARNING in usb_free_urb
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in usb_free_urb
simplifying C reproducer
testing compiled C program (duration=30s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in usb_free_urb
testing compiled C program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in usb_free_urb
testing compiled C program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in usb_free_urb
testing compiled C program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in corrupted
a never seen crash title: WARNING in corrupted, ignore
testing compiled C program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in usb_free_urb
testing compiled C program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in usb_free_urb
testing compiled C program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in usb_free_urb
testing program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x48, &(0x7f0000000800)={{0x12, 0x1, 0x110, 0xa8, 0xa5, 0xaf, 0x20, 0x2040, 0xb900, 0xc159, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x36, 0x3, 0x7, 0x5, 0x60, 0xf, "", [{{0x9, 0x4, 0x7c, 0x23, 0x0, 0x53, 0x5c, 0x28, 0x2}}, {{0x9, 0x4, 0x0, 0xa3, 0x2, 0xda, 0x38, 0xad, 0xf2, [], [{{0x9, 0x5, 0x85, 0x2, 0x8, 0x6, 0xd, 0xc0}}, {{0x9, 0x5, 0x9, 0x14, 0x200, 0x8, 0x5, 0x7d}}]}}, {{0x9, 0x4, 0x34, 0x10, 0x0, 0x6, 0x81, 0x76, 0x6}}]}}]}}, 0x0)

program crashed: WARNING in usb_free_urb
validation run: crashed=true
testing program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x48, &(0x7f0000000800)={{0x12, 0x1, 0x110, 0xa8, 0xa5, 0xaf, 0x20, 0x2040, 0xb900, 0xc159, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x36, 0x3, 0x7, 0x5, 0x60, 0xf, "", [{{0x9, 0x4, 0x7c, 0x23, 0x0, 0x53, 0x5c, 0x28, 0x2}}, {{0x9, 0x4, 0x0, 0xa3, 0x2, 0xda, 0x38, 0xad, 0xf2, [], [{{0x9, 0x5, 0x85, 0x2, 0x8, 0x6, 0xd, 0xc0}}, {{0x9, 0x5, 0x9, 0x14, 0x200, 0x8, 0x5, 0x7d}}]}}, {{0x9, 0x4, 0x34, 0x10, 0x0, 0x6, 0x81, 0x76, 0x6}}]}}]}}, 0x0)

program crashed: WARNING in usb_free_urb
validation run: crashed=true
testing program (duration=30s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x48, &(0x7f0000000800)={{0x12, 0x1, 0x110, 0xa8, 0xa5, 0xaf, 0x20, 0x2040, 0xb900, 0xc159, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x36, 0x3, 0x7, 0x5, 0x60, 0xf, "", [{{0x9, 0x4, 0x7c, 0x23, 0x0, 0x53, 0x5c, 0x28, 0x2}}, {{0x9, 0x4, 0x0, 0xa3, 0x2, 0xda, 0x38, 0xad, 0xf2, [], [{{0x9, 0x5, 0x85, 0x2, 0x8, 0x6, 0xd, 0xc0}}, {{0x9, 0x5, 0x9, 0x14, 0x200, 0x8, 0x5, 0x7d}}]}}, {{0x9, 0x4, 0x34, 0x10, 0x0, 0x6, 0x81, 0x76, 0x6}}]}}]}}, 0x0)

program crashed: WARNING in usb_free_urb
validation run: crashed=true
reproducing took 8m12.093198304s
repro crashed as (corrupted=false):
------------[ cut here ]------------
!PageLargeKmalloc(page)
WARNING: mm/slub.c:6535 at free_large_kmalloc+0xbf/0x100 mm/slub.c:6535, CPU#3: kworker/3:2/847
Modules linked in:
CPU: 3 UID: 0 PID: 847 Comm: kworker/3:2 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:free_large_kmalloc+0xbf/0x100 mm/slub.c:6535
Code: 28 90 0f 0b 90 80 3d 08 a9 54 0e 00 0f 84 a7 f5 b6 fe 48 8b 74 24 28 48 89 ef e8 2c 04 0c 00 b8 00 f0 ff ff 45 31 ed eb 9d 90 <0f> 0b 90 48 83 c4 08 48 89 df 48 c7 c6 19 e5 f1 8d 5b 5d 41 5c 41
RSP: 0018:ffffc90004c16d80 EFLAGS: 00010202
RAX: 00000000000000ff RBX: ffffea000156b880 RCX: 000000000000002e
RDX: 0000000000000000 RSI: ffff888055ae2000 RDI: ffffea000156b880
RBP: ffff888055ae2000 R08: 0000000000000005 R09: 0000000000000000
R10: ffffffffffffffff R11: 000000000000752b R12: ffff8880395dc000
R13: ffff8880395de000 R14: dffffc0000000000 R15: ffff8880395dc0f0
FS:  0000000000000000(0000) GS:ffff8880d6631000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056503b5323e0 CR3: 000000003911f000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 urb_destroy drivers/usb/core/urb.c:25 [inline]
 kref_put include/linux/kref.h:65 [inline]
 usb_free_urb.part.0+0xf8/0x110 drivers/usb/core/urb.c:96
 usb_free_urb+0x1f/0x30 drivers/usb/core/urb.c:95
 smsusb_term_device+0x108/0x200 drivers/media/usb/siano/smsusb.c:352
 smsusb_init_device+0xb4e/0xbb0 drivers/media/usb/siano/smsusb.c:497
 smsusb_probe+0xd7f/0xe1f drivers/media/usb/siano/smsusb.c:575
 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:628 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:706
 __driver_probe_device+0x20e/0x450 drivers/base/dd.c:868
 driver_probe_device+0x4a/0x140 drivers/base/dd.c:898
 __device_attach_driver+0x1df/0x320 drivers/base/dd.c:1026
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1098
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1153
 bus_probe_device+0x64/0x160 drivers/base/bus.c:620
 device_add+0x121d/0x1970 drivers/base/core.c:3772
 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:628 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:706
 __driver_probe_device+0x20e/0x450 drivers/base/dd.c:868
 driver_probe_device+0x4a/0x140 drivers/base/dd.c:898
 __device_attach_driver+0x1df/0x320 drivers/base/dd.c:1026
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1098
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1153
 bus_probe_device+0x64/0x160 drivers/base/bus.c:620
 device_add+0x121d/0x1970 drivers/base/core.c:3772
 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953
 process_one_work+0xa23/0x1940 kernel/workqueue.c:3322
 process_scheduled_works kernel/workqueue.c:3405 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3486
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

final repro crashed as (corrupted=false):
------------[ cut here ]------------
!PageLargeKmalloc(page)
WARNING: mm/slub.c:6535 at free_large_kmalloc+0xbf/0x100 mm/slub.c:6535, CPU#3: kworker/3:2/847
Modules linked in:
CPU: 3 UID: 0 PID: 847 Comm: kworker/3:2 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:free_large_kmalloc+0xbf/0x100 mm/slub.c:6535
Code: 28 90 0f 0b 90 80 3d 08 a9 54 0e 00 0f 84 a7 f5 b6 fe 48 8b 74 24 28 48 89 ef e8 2c 04 0c 00 b8 00 f0 ff ff 45 31 ed eb 9d 90 <0f> 0b 90 48 83 c4 08 48 89 df 48 c7 c6 19 e5 f1 8d 5b 5d 41 5c 41
RSP: 0018:ffffc90004c16d80 EFLAGS: 00010202
RAX: 00000000000000ff RBX: ffffea000156b880 RCX: 000000000000002e
RDX: 0000000000000000 RSI: ffff888055ae2000 RDI: ffffea000156b880
RBP: ffff888055ae2000 R08: 0000000000000005 R09: 0000000000000000
R10: ffffffffffffffff R11: 000000000000752b R12: ffff8880395dc000
R13: ffff8880395de000 R14: dffffc0000000000 R15: ffff8880395dc0f0
FS:  0000000000000000(0000) GS:ffff8880d6631000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056503b5323e0 CR3: 000000003911f000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 urb_destroy drivers/usb/core/urb.c:25 [inline]
 kref_put include/linux/kref.h:65 [inline]
 usb_free_urb.part.0+0xf8/0x110 drivers/usb/core/urb.c:96
 usb_free_urb+0x1f/0x30 drivers/usb/core/urb.c:95
 smsusb_term_device+0x108/0x200 drivers/media/usb/siano/smsusb.c:352
 smsusb_init_device+0xb4e/0xbb0 drivers/media/usb/siano/smsusb.c:497
 smsusb_probe+0xd7f/0xe1f drivers/media/usb/siano/smsusb.c:575
 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:628 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:706
 __driver_probe_device+0x20e/0x450 drivers/base/dd.c:868
 driver_probe_device+0x4a/0x140 drivers/base/dd.c:898
 __device_attach_driver+0x1df/0x320 drivers/base/dd.c:1026
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1098
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1153
 bus_probe_device+0x64/0x160 drivers/base/bus.c:620
 device_add+0x121d/0x1970 drivers/base/core.c:3772
 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:628 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:706
 __driver_probe_device+0x20e/0x450 drivers/base/dd.c:868
 driver_probe_device+0x4a/0x140 drivers/base/dd.c:898
 __device_attach_driver+0x1df/0x320 drivers/base/dd.c:1026
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1098
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1153
 bus_probe_device+0x64/0x160 drivers/base/bus.c:620
 device_add+0x121d/0x1970 drivers/base/core.c:3772
 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953
 process_one_work+0xa23/0x1940 kernel/workqueue.c:3322
 process_scheduled_works kernel/workqueue.c:3405 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3486
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>