program:
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000500), 0x2, 0x0)
ioctl$IOCTL_VMCI_QUEUEPAIR_SETPF(r0, 0x7a9, &(0x7f0000000540)={{@my=0x1, 0x9}, 0x31, 0xe, 0x4, 0x5, 0x6, 0x8, 0x7, 0xb36})
r1 = socket$nl_route(0x10, 0x3, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='cgroup.controllers\x00', 0x275a, 0x0)
close(r2)
syz_80211_inject_frame(&(0x7f00000074c0), &(0x7f0000007500)=ANY=[@ANYBLOB="38100800ffffffffffff080213000001505050505050"], 0x18)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000100)={'wlan0\x00', <r4=>0x0})
recvmsg$unix(r2, &(0x7f00000025c0)={0x0, 0x0, &(0x7f00000002c0)=[{&(0x7f0000001580)=""/4096, 0x1000}, {&(0x7f00000003c0)=""/164, 0xa4}, {&(0x7f0000000040)=""/62, 0x3e}, {&(0x7f0000000480)=""/105, 0x69}, {&(0x7f0000000600)=""/52, 0x34}, {&(0x7f0000000080)=""/8, 0x8}], 0x6}, 0x10000)
sendmsg$IPCTNL_MSG_EXP_DELETE(r2, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000002700)={&(0x7f0000000640)=ANY=[@ANYBLOB="cc000000027f0e61eeda7ca4332f463badcf90e5629e7722f4fb4f72d7e1f56a98cfeb497529f24ffadcf3387be702c51ec8186d77d6d5d64ed9df1d7b6501b62392fd9a65d1b073b451768c36db853ddd8bfe4d7900304c64d1f4c992714f12bee6c8e83a4718f3bfa2c70c8f334c4f216cad7899aa2a209d3acf080b443259b8091974884018b2ed59cb495219b8e0cada6d78550180c5d5acf3", @ANYRES16=r3], 0x14}}, 0x0)
r5 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), r3)
sendmsg$NL80211_CMD_GET_MPP(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000001c0)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r5, @ANYBLOB="010300007541ef7100001100000008000300", @ANYRES32=r4], 0x1c}}, 0x0)
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r7=>0x0})
r8 = syz_usb_connect(0x3, 0x3c, &(0x7f0000000380)=ANY=[@ANYBLOB="120101000814c910be0632a2f333010203010902120001000000000904"], 0x0)
syz_usb_control_io$uac1(r8, 0x0, 0x0)
syz_usb_control_io$printer(r8, 0x0, 0x0)
r9 = syz_open_dev$I2C(&(0x7f00000000c0), 0xc, 0x88000)
syz_usb_control_io$hid(r8, 0x0, 0x0)
r10 = syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r10, 0xc04064a0, &(0x7f00000003c0)={0x0, &(0x7f0000000300)=[0x0], 0x0, 0x0, 0x0, 0x1})
r11 = syz_open_dev$dri(&(0x7f00000008c0), 0xd21, 0x0)
ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r11, 0xc00c643c, &(0x7f0000000300)={0x0, 0x0, r10})
syz_usb_control_io$hid(r8, 0x0, &(0x7f0000000600)={0x18, &(0x7f0000000400)=ANY=[@ANYBLOB="201600000000"], 0x0, 0x0, 0x0, 0x0})
ioctl$I2C_SMBUS(r9, 0x720, &(0x7f0000000140)={0x1, 0x20, 0x1, &(0x7f0000000100)={0x12, "3ac071ffbc8cd0d684737d99bb8bd238954c9a216d398df0f558125211b40c65fd"}})
sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000700)=ANY=[@ANYBLOB="200000006800e97802000000000000000a0004000000000008000500", @ANYRES32=r7, @ANYBLOB="211e5158d13f50d3d43397b8d91bac4771d938cd02178f67799d9984eef523ea1b2d3fffcd4e7dd8384d0d0083471b0000c27dbed629f37fd8670eb83de984cdcb2faeebe3258ecc27262131ad24492347644debb60eaaba629c426f86c23efce319d8614a344e276cc97ad01900094ea4a4700b31db2f79b58f167eaedd"], 0x20}, 0x1, 0x0, 0x0, 0x4}, 0x24044000)
socket$nl_route(0x10, 0x3, 0x0)
r12 = socket$nl_generic(0x10, 0x3, 0x10)
r13 = syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff)
sendmsg$TIPC_NL_NET_SET(r12, &(0x7f00000003c0)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000340)={&(0x7f0000000440)=ANY=[@ANYBLOB='\x00\x00\x00\x00', @ANYRES16=r13, @ANYBLOB="080001010000fcdbdf250f000000300007800c000400000000000000000008000100090000000c00030000000000000000000c0003000800000000000000040003800c0006800400020004000200300002802400038008000200030000000800020006000000080001000004000008000100040000000800010008000000"], 0x84}, 0x1, 0x0, 0x0, 0x41}, 0x0)

[  103.683948][ T4663] Bluetooth: hci0: command tx timeout
[  103.772822][ T5324] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[  104.094506][   T10] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[  104.244757][   T10] usb 5-1: Using ep0 maxpacket: 16
[  104.255166][   T10] usb 5-1: New USB device found, idVendor=06be, idProduct=a232, bcdDevice=33.f3
[  104.259178][   T10] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  104.263508][   T10] usb 5-1: Product: syz
[  104.266512][   T10] usb 5-1: Manufacturer: syz
[  104.268935][   T10] usb 5-1: SerialNumber: syz
[  104.278717][   T10] usb 5-1: config 0 descriptor??
[  104.696499][   T10] dvb-usb: found a 'AME DTV-5100 USB2.0 DVB-T' in warm state.
[  104.707051][   T10] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
[  104.713012][   T10] dvbdev: DVB: registering new adapter (AME DTV-5100 USB2.0 DVB-T)
[  104.726885][   T10] usb 5-1: media controller created
[  104.743008][   T10] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
[  104.899229][   T10] zl10353_read_register: readreg error (reg=127, ret==0)
[  104.904945][   T10] dvb-usb: no frontend was attached by 'AME DTV-5100 USB2.0 DVB-T'
[  104.908865][   T10] dvb-usb: AME DTV-5100 USB2.0 DVB-T successfully initialized and connected.
[  105.284468][ T5325] ------------[ cut here ]------------
[  105.287190][ T5325] usb 5-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
[  105.291485][ T5325] WARNING: drivers/usb/core/urb.c:413 at usb_submit_urb+0x1052/0x18b0, CPU#0: syz.0.0/5325
[  105.298125][ T5325] Modules linked in:
[  105.300359][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  105.304675][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  105.308862][ T5325] RIP: 0010:usb_submit_urb+0x1114/0x18b0
[  105.311331][ T5325] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c2 f2 ff ff 89 e9
[  105.321500][ T5325] RSP: 0018:ffffc9000f747688 EFLAGS: 00010246
[  105.324728][ T5325] RAX: 0000000000000000 RBX: ffff888032bf6d00 RCX: 0000000080000280
[  105.328330][ T5325] RDX: ffff88803931af80 RSI: ffffffff8c7f1a60 RDI: ffffffff901f0880
[  105.331785][ T5325] RBP: 1ffff11003f93a68 R08: 00000000000000c0 R09: 0000000000000000
[  105.335467][ T5325] R10: ffffc9000f747780 R11: fffff52001ee8efc R12: ffff888012335100
[  105.339518][ T5325] R13: ffff88801fc9d340 R14: 0000000080000280 R15: ffff88803931af80
[  105.343319][ T5325] FS:  00007f3e47dd06c0(0000) GS:ffff88808ca56000(0000) knlGS:0000000000000000
[  105.348257][ T5325] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  105.351508][ T5325] CR2: 0000555c799e4158 CR3: 0000000041727000 CR4: 0000000000352ef0
[  105.355612][ T5325] Call Trace:
[  105.357152][ T5325]  <TASK>
[  105.358546][ T5325]  ? __init_swait_queue_head+0xa9/0x150
[  105.361096][ T5325]  usb_start_wait_urb+0x12b/0x510
[  105.363429][ T5325]  ? __pfx_usb_start_wait_urb+0x10/0x10
[  105.366858][ T5325]  usb_control_msg+0x232/0x3e0
[  105.369963][ T5325]  dtv5100_i2c_msg+0x231/0x2f0
[  105.373263][ T5325]  dtv5100_i2c_xfer+0x1a4/0x3c0
[  105.375780][ T5325]  ? __bfs+0x153/0x290
[  105.377759][ T5325]  __i2c_transfer+0x79a/0x2020
[  105.379848][ T5325]  __i2c_smbus_xfer+0xfca/0x1f70
[  105.382377][ T5325]  ? __pfx___i2c_smbus_xfer+0x10/0x10
[  105.384888][ T5325]  ? lockdep_hardirqs_on+0x7a/0x110
[  105.388113][ T5325]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.390902][ T5325]  ? rt_mutex_lock_nested+0x15c/0x1e0
[  105.393776][ T5325]  i2c_smbus_xfer+0x1f4/0x310
[  105.396148][ T5325]  i2cdev_ioctl_smbus+0x434/0x730
[  105.398369][ T5325]  ? __pfx_i2cdev_ioctl_smbus+0x10/0x10
[  105.400974][ T5325]  i2cdev_ioctl+0x615/0x880
[  105.403429][ T5325]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  105.406168][ T5325]  ? __fget_files+0x2a/0x420
[  105.408248][ T5325]  ? __fget_files+0x3a0/0x420
[  105.410313][ T5325]  ? bpf_lsm_file_ioctl+0x9/0x20
[  105.413160][ T5325]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  105.415575][ T5325]  __se_sys_ioctl+0xfc/0x170
[  105.417548][ T5325]  do_syscall_64+0x14d/0xf80
[  105.419852][ T5325]  ? trace_irq_disable+0x3b/0x150
[  105.422455][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.425358][ T5325]  ? clear_bhb_loop+0x40/0x90
[  105.427879][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.431922][ T5325] RIP: 0033:0x7f3e46f9c799
[  105.434844][ T5325] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  105.443746][ T5325] RSP: 002b:00007f3e47dcffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  105.447814][ T5325] RAX: ffffffffffffffda RBX: 00007f3e47216090 RCX: 00007f3e46f9c799
[  105.451759][ T5325] RDX: 0000200000000140 RSI: 0000000000000720 RDI: 0000000000000008
[  105.456193][ T5325] RBP: 00007f3e47032bd9 R08: 0000000000000000 R09: 0000000000000000
[  105.460423][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  105.465165][ T5325] R13: 00007f3e47216128 R14: 00007f3e47216090 R15: 00007ffc4fc26cb8
[  105.469945][ T5325]  </TASK>
[  105.471691][ T5325] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  105.475040][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  105.479021][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  105.483700][ T5325] Call Trace:
[  105.485422][ T5325]  <TASK>
[  105.487182][ T5325]  vpanic+0x56c/0xa60
[  105.489446][ T5325]  ? __pfx__printk+0x10/0x10
[  105.491981][ T5325]  ? __pfx_vpanic+0x10/0x10
[  105.494643][ T5325]  ? is_bpf_text_address+0x292/0x2b0
[  105.497625][ T5325]  ? is_bpf_text_address+0x26/0x2b0
[  105.500705][ T5325]  panic+0xc5/0xd0
[  105.502899][ T5325]  ? __pfx_panic+0x10/0x10
[  105.505664][ T5325]  __warn+0x315/0x4f0
[  105.507953][ T5325]  ? usb_submit_urb+0x1052/0x18b0
[  105.510651][ T5325]  ? usb_submit_urb+0x1052/0x18b0
[  105.513362][ T5325]  __report_bug+0x29a/0x540
[  105.515691][ T5325]  ? usb_submit_urb+0x1052/0x18b0
[  105.518247][ T5325]  ? __pfx___report_bug+0x10/0x10
[  105.520604][ T5325]  ? lockdep_hardirqs_on+0x7a/0x110
[  105.522981][ T5325]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.525554][ T5325]  report_bug_entry+0x19a/0x290
[  105.527868][ T5325]  ? usb_submit_urb+0x1114/0x18b0
[  105.530488][ T5325]  ? usb_submit_urb+0x1119/0x18b0
[  105.532804][ T5325]  handle_bug+0xce/0x200
[  105.534651][ T5325]  exc_invalid_op+0x1a/0x50
[  105.536690][ T5325]  asm_exc_invalid_op+0x1a/0x20
[  105.538890][ T5325] RIP: 0010:usb_submit_urb+0x1114/0x18b0
[  105.541827][ T5325] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c2 f2 ff ff 89 e9
[  105.550795][ T5325] RSP: 0018:ffffc9000f747688 EFLAGS: 00010246
[  105.553452][ T5325] RAX: 0000000000000000 RBX: ffff888032bf6d00 RCX: 0000000080000280
[  105.557667][ T5325] RDX: ffff88803931af80 RSI: ffffffff8c7f1a60 RDI: ffffffff901f0880
[  105.561717][ T5325] RBP: 1ffff11003f93a68 R08: 00000000000000c0 R09: 0000000000000000
[  105.565340][ T5325] R10: ffffc9000f747780 R11: fffff52001ee8efc R12: ffff888012335100
[  105.569090][ T5325] R13: ffff88801fc9d340 R14: 0000000080000280 R15: ffff88803931af80
[  105.573321][ T5325]  ? usb_submit_urb+0x10a3/0x18b0
[  105.576650][ T5325]  ? __init_swait_queue_head+0xa9/0x150
[  105.579239][ T5325]  usb_start_wait_urb+0x12b/0x510
[  105.581962][ T5325]  ? __pfx_usb_start_wait_urb+0x10/0x10
[  105.584567][ T5325]  usb_control_msg+0x232/0x3e0
[  105.586739][ T5325]  dtv5100_i2c_msg+0x231/0x2f0
[  105.588941][ T5325]  dtv5100_i2c_xfer+0x1a4/0x3c0
[  105.591225][ T5325]  ? __bfs+0x153/0x290
[  105.593153][ T5325]  __i2c_transfer+0x79a/0x2020
[  105.595338][ T5325]  __i2c_smbus_xfer+0xfca/0x1f70
[  105.598877][ T5325]  ? __pfx___i2c_smbus_xfer+0x10/0x10
[  105.601835][ T5325]  ? lockdep_hardirqs_on+0x7a/0x110
[  105.604040][ T5325]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.606472][ T5325]  ? rt_mutex_lock_nested+0x15c/0x1e0
[  105.608912][ T5325]  i2c_smbus_xfer+0x1f4/0x310
[  105.611080][ T5325]  i2cdev_ioctl_smbus+0x434/0x730
[  105.613357][ T5325]  ? __pfx_i2cdev_ioctl_smbus+0x10/0x10
[  105.616456][ T5325]  i2cdev_ioctl+0x615/0x880
[  105.619133][ T5325]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  105.621675][ T5325]  ? __fget_files+0x2a/0x420
[  105.623830][ T5325]  ? __fget_files+0x3a0/0x420
[  105.625925][ T5325]  ? bpf_lsm_file_ioctl+0x9/0x20
[  105.628111][ T5325]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  105.630377][ T5325]  __se_sys_ioctl+0xfc/0x170
[  105.632535][ T5325]  do_syscall_64+0x14d/0xf80
[  105.634731][ T5325]  ? trace_irq_disable+0x3b/0x150
[  105.636780][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.639515][ T5325]  ? clear_bhb_loop+0x40/0x90
[  105.641792][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.644570][ T5325] RIP: 0033:0x7f3e46f9c799
[  105.646858][ T5325] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  105.656614][ T5325] RSP: 002b:00007f3e47dcffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  105.660354][ T5325] RAX: ffffffffffffffda RBX: 00007f3e47216090 RCX: 00007f3e46f9c799
[  105.663734][ T5325] RDX: 0000200000000140 RSI: 0000000000000720 RDI: 0000000000000008
[  105.667130][ T5325] RBP: 00007f3e47032bd9 R08: 0000000000000000 R09: 0000000000000000
[  105.671449][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  105.675566][ T5325] R13: 00007f3e47216128 R14: 00007f3e47216090 R15: 00007ffc4fc26cb8
[  105.679354][ T5325]  </TASK>
[  105.681176][ T5325] Kernel Offset: disabled
[  105.683069][ T5325] Rebooting in 86400 seconds..