Extracting prog: 3m56.871967987s
Minimizing prog: 52m30.038665209s
Simplifying prog options: 0s
Extracting C: 3m27.512194953s
Simplifying C: 21m6.219745584s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-syz_usb_connect-mount$fuse-write$FUSE_INIT-syz_fuse_handle_req-quotactl_fd$Q_GETQUOTA-connect$pppl2tp-openat$ppp
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x800010, 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)
syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, 0x0)
quotactl_fd$Q_GETQUOTA(0xffffffffffffffff, 0xffffffff80000700, 0x0, 0x0)
connect$pppl2tp(0xffffffffffffffff, 0x0, 0x0)
openat$ppp(0xffffffffffffff9c, 0x0, 0x1, 0x0)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-syz_usb_connect-mount$fuse-write$FUSE_INIT-syz_fuse_handle_req-quotactl_fd$Q_GETQUOTA-connect$pppl2tp-openat$ppp
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x800010, 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)
syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, 0x0)
quotactl_fd$Q_GETQUOTA(0xffffffffffffffff, 0xffffffff80000700, 0x0, 0x0)
connect$pppl2tp(0xffffffffffffffff, 0x0, 0x0)
openat$ppp(0xffffffffffffff9c, 0x0, 0x1, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
single: successfully extracted reproducer
found reproducer with 11 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-syz_usb_connect-mount$fuse-write$FUSE_INIT-syz_fuse_handle_req-quotactl_fd$Q_GETQUOTA-connect$pppl2tp
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x800010, 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)
syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, 0x0)
quotactl_fd$Q_GETQUOTA(0xffffffffffffffff, 0xffffffff80000700, 0x0, 0x0)
connect$pppl2tp(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-syz_usb_connect-mount$fuse-write$FUSE_INIT-syz_fuse_handle_req-quotactl_fd$Q_GETQUOTA
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x800010, 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)
syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, 0x0)
quotactl_fd$Q_GETQUOTA(0xffffffffffffffff, 0xffffffff80000700, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-syz_usb_connect-mount$fuse-write$FUSE_INIT-syz_fuse_handle_req
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x800010, 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)
syz_fuse_handle_req(0xffffffffffffffff, 0x0, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-syz_usb_connect-mount$fuse-write$FUSE_INIT
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x800010, 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-syz_usb_connect-mount$fuse
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
mount$fuse(0x0, 0x0, 0x0, 0x800010, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: WARNING: kobject bug in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-setsockopt$netlink_NETLINK_CAP_ACK-write$FUSE_INIT
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$netlink_NETLINK_CAP_ACK(0xffffffffffffffff, 0x10e, 0xa, 0x0, 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-close_range-syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-ioctl$DRM_IOCTL_MODE_GETFB2-syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
ioctl$DRM_IOCTL_MODE_GETFB2(0xffffffffffffffff, 0xc06864ce, 0x0)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$dir-syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
openat$dir(0xffffff9c, 0x0, 0x111000, 0x64)
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, 0x0, 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
program crashed: KASAN: use-after-free Read in v4l2_open
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
program crashed: KASAN: use-after-free Read in v4l2_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
program crashed: KASAN: use-after-free Read in v4l2_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
program crashed: KASAN: use-after-free Read in v4l2_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
program crashed: KASAN: use-after-free Read in v4l2_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
program crashed: KASAN: use-after-free Read in v4l2_open
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
program crashed: KASAN: use-after-free Read in v4l2_open
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect-write$FUSE_INIT
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000d00)=ANY=[@ANYBLOB="120100021982302013042360e5ec0102030109021b0001000060020904840001ee48b100090582"], 0x0)
write$FUSE_INIT(0xffffffffffffffff, 0x0, 0x0)

program crashed: KASAN: use-after-free Read in v4l2_open
validation run: crashed=true
reproducing took 1h32m7.320130475s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in v4l2_open+0x398/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
Read of size 4 at addr ffff88805e0109d0 by task v4l_id/9329

CPU: 0 UID: 0 PID: 9329 Comm: v4l_id Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 v4l2_open+0x398/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
 chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
 do_dentry_open+0x83d/0x13e0 fs/open.c:947
 vfs_open+0x3b/0x350 fs/open.c:1079
 do_open fs/namei.c:4699 [inline]
 path_openat+0x2e43/0x38a0 fs/namei.c:4858
 do_file_open+0x23e/0x4a0 fs/namei.c:4887
 do_sys_openat2+0x113/0x200 fs/open.c:1364
 do_sys_open fs/open.c:1370 [inline]
 __do_sys_openat fs/open.c:1386 [inline]
 __se_sys_openat fs/open.c:1381 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1381
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f952b947407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc8ba241e0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f952b859880 RCX: 00007f952b947407
RDX: 0000000000000000 RSI: 00007ffc8ba24f1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffc8ba24430 R14: 00007f952c0dd000 R15: 0000558db71184d8
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88805e013a80 pfn:0x5e010
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea0000a8dd08 ffff8880b8642cc0 0000000000000000
raw: ffff88805e013a80 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_ZERO|__GFP_COMP), pid 5982, tgid 5982 (kworker/0:7), ts 434826691802, free_ts 435120336118
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f9/0x250 mm/page_alloc.c:1861
 prep_new_page mm/page_alloc.c:1869 [inline]
 get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3949
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5292
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2490
 ___kmalloc_large_node+0x4e/0x120 mm/slub.c:5249
 __kmalloc_large_noprof+0x1a/0x90 mm/slub.c:5270
 kmalloc_noprof include/linux/slab.h:947 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 em28xx_v4l2_init+0xe0/0x3320 drivers/media/usb/em28xx/em28xx-video.c:2709
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1248
 process_one_work+0x98b/0x1630 kernel/workqueue.c:3306
 process_scheduled_works kernel/workqueue.c:3389 [inline]
 worker_thread+0xb49/0x1140 kernel/workqueue.c:3470
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 5982 tgid 5982 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1405 [inline]
 __free_frozen_pages+0x1075/0x11b0 mm/page_alloc.c:2946
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2289 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x18e9/0x3320 drivers/media/usb/em28xx/em28xx-video.c:3080
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1248
 process_one_work+0x98b/0x1630 kernel/workqueue.c:3306
 process_scheduled_works kernel/workqueue.c:3389 [inline]
 worker_thread+0xb49/0x1140 kernel/workqueue.c:3470
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff88805e010880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805e010900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805e010980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
 ffff88805e010a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805e010a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: use-after-free in v4l2_open+0x398/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
Read of size 4 at addr ffff88805e0109d0 by task v4l_id/9329

CPU: 0 UID: 0 PID: 9329 Comm: v4l_id Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 v4l2_open+0x398/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
 chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
 do_dentry_open+0x83d/0x13e0 fs/open.c:947
 vfs_open+0x3b/0x350 fs/open.c:1079
 do_open fs/namei.c:4699 [inline]
 path_openat+0x2e43/0x38a0 fs/namei.c:4858
 do_file_open+0x23e/0x4a0 fs/namei.c:4887
 do_sys_openat2+0x113/0x200 fs/open.c:1364
 do_sys_open fs/open.c:1370 [inline]
 __do_sys_openat fs/open.c:1386 [inline]
 __se_sys_openat fs/open.c:1381 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1381
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f952b947407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc8ba241e0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f952b859880 RCX: 00007f952b947407
RDX: 0000000000000000 RSI: 00007ffc8ba24f1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffc8ba24430 R14: 00007f952c0dd000 R15: 0000558db71184d8
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88805e013a80 pfn:0x5e010
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 ffffea0000a8dd08 ffff8880b8642cc0 0000000000000000
raw: ffff88805e013a80 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_ZERO|__GFP_COMP), pid 5982, tgid 5982 (kworker/0:7), ts 434826691802, free_ts 435120336118
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f9/0x250 mm/page_alloc.c:1861
 prep_new_page mm/page_alloc.c:1869 [inline]
 get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3949
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5292
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2490
 ___kmalloc_large_node+0x4e/0x120 mm/slub.c:5249
 __kmalloc_large_noprof+0x1a/0x90 mm/slub.c:5270
 kmalloc_noprof include/linux/slab.h:947 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 em28xx_v4l2_init+0xe0/0x3320 drivers/media/usb/em28xx/em28xx-video.c:2709
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1248
 process_one_work+0x98b/0x1630 kernel/workqueue.c:3306
 process_scheduled_works kernel/workqueue.c:3389 [inline]
 worker_thread+0xb49/0x1140 kernel/workqueue.c:3470
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 5982 tgid 5982 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1405 [inline]
 __free_frozen_pages+0x1075/0x11b0 mm/page_alloc.c:2946
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2289 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_v4l2_init+0x18e9/0x3320 drivers/media/usb/em28xx/em28xx-video.c:3080
 em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1248
 process_one_work+0x98b/0x1630 kernel/workqueue.c:3306
 process_scheduled_works kernel/workqueue.c:3389 [inline]
 worker_thread+0xb49/0x1140 kernel/workqueue.c:3470
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff88805e010880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805e010900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805e010980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
 ffff88805e010a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805e010a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================