program: r0 = syz_usb_connect(0x3, 0x3c, &(0x7f0000000380)=ANY=[@ANYBLOB="120101000814c910be0632a2f333010203010902120001000000000904"], 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) r1 = syz_open_dev$I2C(&(0x7f00000000c0), 0xc, 0x88000) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000600)={0x2c, &(0x7f0000000000)=ANY=[], 0x0, 0x0, 0x0, 0x0}) ioctl$I2C_SMBUS(r1, 0x720, &(0x7f0000000140)={0x1, 0x6, 0x2, &(0x7f0000000100)={0x1c, "3ac071ffbc8cd0d684737d99bb8bd238954c9a216d398df0f558125211b40c65fd"}}) r2 = openat$comedi(0xffffff9c, &(0x7f0000000040)='/dev/comedi5\x00', 0x369102, 0x0) ioctl$COMEDI_DEVCONFIG(r2, 0x40946400, &(0x7f0000000300)={'adq12b\x00', [0x2f00, 0x5, 0xd09a, 0xfff7ffff, 0x3, 0xfffffffe, 0x20000004, 0x6, 0xfffffe00, 0x9, 0xc, 0x1001, 0xe3, 0x5, 0xffff, 0x6, 0x5, 0x40000029, 0x830, 0x30000, 0x10003, 0x2, 0x7fe, 0xe2df, 0x2, 0xd, 0x7, 0x3, 0x4, 0x5, 0x70f]}) r3 = socket$nl_generic(0x10, 0x3, 0x10) connect$pppl2tp(0xffffffffffffffff, &(0x7f0000000080)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x4e24, @broadcast}, 0x4, 0x2, 0x2, 0x4}}, 0x26) r4 = syz_usb_connect(0x0, 0x24, &(0x7f0000000080)=ANY=[@ANYBLOB="120100008e88052086800095d8b601020301090212000100000000090401"], 0x0) syz_usb_control_io$uac1(r4, 0x0, 0x0) r5 = syz_open_dev$I2C(&(0x7f0000000000), 0x2, 0x40402) ioctl$I2C_SMBUS(r5, 0x720, &(0x7f00000000c0)={0x0, 0x1, 0x1, 0x0}) syz_usb_control_io$rtl8150(r4, 0x0, 0x0) r6 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r6, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000480)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a05400000000000000000010000000900010073797a300000000040000000030a01010000000000000000010000000900030073797a300000000014000480080002400000000008000140000000000900010073797a30000000004c000000060a01040000000000000000010000002400048020000180080001006f736600140002800500020000000000080001400000001408000b40000000000900010073797a300000000014000000110001"], 0xd4}}, 0x0) syz_emit_ethernet(0x4a, &(0x7f00000001c0)=ANY=[@ANYBLOB="aaaaaaaaaaaa00000000000086dd6bedbcb800140600fc020000000000000000000000000001200100000000000000000000000000004e214e24", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="71c2000390780001"], 0x0) r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r7, @ANYBLOB="000100000000ffdbdf250600000008000300", @ANYRES32=r8, @ANYBLOB="dc"], 0x28}}, 0x0) r9 = syz_open_dev$dri(&(0x7f0000000000), 0x1ff, 0x0) ioctl$DRM_IOCTL_MODE_CURSOR(r9, 0xc01c64a3, &(0x7f0000000280)={0x3, 0x0, 0x1, 0xffff, 0xa, 0x1ff, 0x1}) nanosleep(0x0, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000640)=ANY=[@ANYBLOB="b000000008021100000108021100000008021100000010000000020000005472306d89e0acee9cb4427f95b14563d7ed0cab3d808ca30ac6f31c5eb753024356f5cc90c4791311bf4726f45fff9a3bbc9be9b8c9e0cb55c8370c1e49ed3ddfc94c57b4843fc74b49eba0949f4fb62d40e5afa002474b41862fe50bdf752c1c1a5d1a59415f2b4bfa7659b0812803ba33df743818bfcb6cc63ab386e6f7b54cbc71cf7134701b923931"], 0x1e) ioctl$COMEDI_INSN(r2, 0x8028640c, &(0x7f0000000080)={0x4000000, 0xf, &(0x7f00000003c0)=[0x4, 0x0, 0x2, 0x9, 0x80000000, 0x4, 0x1fb, 0x9, 0xff, 0xb, 0xdd0, 0x2, 0xfff, 0x80000000, 0x9], 0x2, 0x9}) r10 = openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) ioctl$VIDIOC_S_OUTPUT(r10, 0xc004562f, &(0x7f0000000100)=0x1) openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0) [ 74.308880][ T4686] Bluetooth: hci0: command tx timeout [ 74.628847][ T5332] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 74.779145][ T5332] usb 5-1: Using ep0 maxpacket: 16 [ 74.786817][ T5332] usb 5-1: New USB device found, idVendor=06be, idProduct=a232, bcdDevice=33.f3 [ 74.791221][ T5332] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 74.794857][ T5332] usb 5-1: Product: syz [ 74.796907][ T5332] usb 5-1: Manufacturer: syz [ 74.799608][ T5332] usb 5-1: SerialNumber: syz [ 74.807212][ T5332] usb 5-1: config 0 descriptor?? [ 75.222553][ T5332] dvb-usb: found a 'AME DTV-5100 USB2.0 DVB-T' in warm state. [ 75.230672][ T5332] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 75.235820][ T5332] dvbdev: DVB: registering new adapter (AME DTV-5100 USB2.0 DVB-T) [ 75.240689][ T5332] usb 5-1: media controller created [ 75.252114][ T5332] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 75.434553][ T5332] zl10353_read_register: readreg error (reg=127, ret==0) [ 75.438428][ T5332] dvb-usb: no frontend was attached by 'AME DTV-5100 USB2.0 DVB-T' [ 75.467016][ T5332] dvb-usb: AME DTV-5100 USB2.0 DVB-T successfully initialized and connected. [ 75.825833][ T5340] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 75.832958][ T5340] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 75.849630][ T5340] ------------[ cut here ]------------ [ 75.852036][ T5340] usb 5-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0 [ 75.855613][ T5340] WARNING: drivers/usb/core/urb.c:414 at 0x0, CPU#0: syz.0.0/5340 [ 75.859558][ T5340] Modules linked in: [ 75.861967][ T5340] CPU: 0 UID: 0 PID: 5340 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.867229][ T5340] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.872345][ T5340] RIP: 0010:usb_submit_urb+0x111c/0x18d0 [ 75.875141][ T5340] Code: b8 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 a7 05 00 00 45 0f b6 45 00 48 8b 3c 24 48 8b 74 24 20 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 b7 f2 ff ff 89 e9 [ 75.883791][ T5340] RSP: 0018:ffffc9000a297560 EFLAGS: 00010246 [ 75.886486][ T5340] RAX: 0000000000000000 RBX: ffff88801fc57400 RCX: 0000000080000280 [ 75.890032][ T5340] RDX: ffff8880428ea660 RSI: ffffffff8c341240 RDI: ffffffff8faeddb0 [ 75.893419][ T5340] RBP: 1ffff11002455628 R08: 00000000000000c0 R09: 0000000000000000 [ 75.896754][ T5340] R10: ffffc9000a297660 R11: fffff52001452ed8 R12: ffff888037384100 [ 75.900021][ T5340] R13: ffff8880122ab140 R14: 0000000080000280 R15: ffff8880428ea660 [ 75.903142][ T5340] FS: 00007f8a6a23f6c0(0000) GS:ffff88808d22f000(0000) knlGS:0000000000000000 [ 75.906921][ T5340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.909642][ T5340] CR2: 00007f8a6a23dfe0 CR3: 00000000447b9000 CR4: 0000000000352ef0 [ 75.912687][ T5340] Call Trace: [ 75.913990][ T5340] [ 75.915206][ T5340] ? __init_swait_queue_head+0xa9/0x150 [ 75.917748][ T5340] usb_start_wait_urb+0x115/0x4f0 [ 75.920144][ T5340] ? __pfx_usb_start_wait_urb+0x10/0x10 [ 75.922816][ T5340] usb_control_msg+0x232/0x3e0 [ 75.925007][ T5340] dtv5100_i2c_msg+0x231/0x2f0 [ 75.927192][ T5340] dtv5100_i2c_xfer+0x1a4/0x3c0 [ 75.929793][ T5340] __i2c_transfer+0x871/0x2110 [ 75.931991][ T5340] ? stack_depot_save_flags+0x40/0x850 [ 75.934685][ T5340] ? __pfx___i2c_transfer+0x10/0x10 [ 75.936895][ T5340] ? kfree+0x1c0/0x660 [ 75.939017][ T5340] ? tomoyo_path_number_perm+0x47a/0x5a0 [ 75.941468][ T5340] ? security_file_ioctl+0xcb/0x2d0 [ 75.943806][ T5340] __i2c_smbus_xfer+0xf80/0x1e40 [ 75.946009][ T5340] ? __pfx___i2c_smbus_xfer+0x10/0x10 [ 75.948407][ T5340] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 75.951167][ T5340] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 75.953715][ T5340] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.956505][ T5340] ? rt_mutex_lock_nested+0x15e/0x1e0 [ 75.959048][ T5340] i2c_smbus_xfer+0x275/0x3c0 [ 75.961292][ T5340] ? __pfx_i2c_smbus_xfer+0x10/0x10 [ 75.963597][ T5340] i2cdev_ioctl_smbus+0x1cd/0x750 [ 75.965795][ T5340] ? __pfx_i2cdev_ioctl_smbus+0x10/0x10 [ 75.968289][ T5340] i2cdev_ioctl+0x5d3/0x820 [ 75.970823][ T5340] ? __pfx_i2cdev_ioctl+0x10/0x10 [ 75.973234][ T5340] ? __fget_files+0x2a/0x420 [ 75.975325][ T5340] ? bpf_lsm_file_ioctl+0x9/0x20 [ 75.977561][ T5340] ? __pfx_i2cdev_ioctl+0x10/0x10 [ 75.980095][ T5340] __se_sys_ioctl+0xfc/0x170 [ 75.982107][ T5340] do_syscall_64+0xfa/0xf80 [ 75.983896][ T5340] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.986721][ T5340] ? clear_bhb_loop+0x60/0xb0 [ 75.989036][ T5340] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.991800][ T5340] RIP: 0033:0x7f8a6938f7c9 [ 75.993918][ T5340] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.002694][ T5340] RSP: 002b:00007f8a6a23f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 76.006545][ T5340] RAX: ffffffffffffffda RBX: 00007f8a695e6090 RCX: 00007f8a6938f7c9 [ 76.010717][ T5340] RDX: 00002000000000c0 RSI: 0000000000000720 RDI: 0000000000000007 [ 76.013917][ T5340] RBP: 00007f8a69413f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.017303][ T5340] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.020646][ T5340] R13: 00007f8a695e6128 R14: 00007f8a695e6090 R15: 00007ffc5562a548 [ 76.024310][ T5340] [ 76.025744][ T5340] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 76.028943][ T5340] CPU: 0 UID: 0 PID: 5340 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.032829][ T5340] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.037431][ T5340] Call Trace: [ 76.038904][ T5340] [ 76.040244][ T5340] dump_stack_lvl+0x99/0x250 [ 76.042422][ T5340] ? __asan_memcpy+0x40/0x70 [ 76.044206][ T5340] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.046538][ T5340] ? __pfx__printk+0x10/0x10 [ 76.048587][ T5340] vpanic+0x237/0x6d0 [ 76.050422][ T5340] ? __pfx_vpanic+0x10/0x10 [ 76.052482][ T5340] ? is_bpf_text_address+0x292/0x2b0 [ 76.054928][ T5340] ? is_bpf_text_address+0x26/0x2b0 [ 76.057285][ T5340] panic+0xb9/0xc0 [ 76.058953][ T5340] ? __pfx_panic+0x10/0x10 [ 76.060875][ T5340] __warn+0x317/0x4b0 [ 76.062646][ T5340] __report_bug+0x288/0x500 [ 76.064731][ T5340] ? __pfx___report_bug+0x10/0x10 [ 76.066952][ T5340] report_bug_entry+0x16a/0x220 [ 76.068982][ T5340] ? usb_submit_urb+0x111c/0x18d0 [ 76.071145][ T5340] ? usb_submit_urb+0x1121/0x18d0 [ 76.073402][ T5340] handle_bug+0xca/0x200 [ 76.075387][ T5340] exc_invalid_op+0x1a/0x50 [ 76.077843][ T5340] asm_exc_invalid_op+0x1a/0x20 [ 76.080277][ T5340] RIP: 0010:usb_submit_urb+0x111c/0x18d0 [ 76.082968][ T5340] Code: b8 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 a7 05 00 00 45 0f b6 45 00 48 8b 3c 24 48 8b 74 24 20 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 b7 f2 ff ff 89 e9 [ 76.091504][ T5340] RSP: 0018:ffffc9000a297560 EFLAGS: 00010246 [ 76.094382][ T5340] RAX: 0000000000000000 RBX: ffff88801fc57400 RCX: 0000000080000280 [ 76.097908][ T5340] RDX: ffff8880428ea660 RSI: ffffffff8c341240 RDI: ffffffff8faeddb0 [ 76.101494][ T5340] RBP: 1ffff11002455628 R08: 00000000000000c0 R09: 0000000000000000 [ 76.105056][ T5340] R10: ffffc9000a297660 R11: fffff52001452ed8 R12: ffff888037384100 [ 76.108362][ T5340] R13: ffff8880122ab140 R14: 0000000080000280 R15: ffff8880428ea660 [ 76.111699][ T5340] ? __init_swait_queue_head+0xa9/0x150 [ 76.114079][ T5340] usb_start_wait_urb+0x115/0x4f0 [ 76.116317][ T5340] ? __pfx_usb_start_wait_urb+0x10/0x10 [ 76.119311][ T5340] usb_control_msg+0x232/0x3e0 [ 76.121410][ T5340] dtv5100_i2c_msg+0x231/0x2f0 [ 76.123560][ T5340] dtv5100_i2c_xfer+0x1a4/0x3c0 [ 76.125753][ T5340] __i2c_transfer+0x871/0x2110 [ 76.127838][ T5340] ? stack_depot_save_flags+0x40/0x850 [ 76.130155][ T5340] ? __pfx___i2c_transfer+0x10/0x10 [ 76.132343][ T5340] ? kfree+0x1c0/0x660 [ 76.134230][ T5340] ? tomoyo_path_number_perm+0x47a/0x5a0 [ 76.136736][ T5340] ? security_file_ioctl+0xcb/0x2d0 [ 76.138913][ T5340] __i2c_smbus_xfer+0xf80/0x1e40 [ 76.141053][ T5340] ? __pfx___i2c_smbus_xfer+0x10/0x10 [ 76.142896][ T5340] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 76.144826][ T5340] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 76.147298][ T5340] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.149910][ T5340] ? rt_mutex_lock_nested+0x15e/0x1e0 [ 76.152231][ T5340] i2c_smbus_xfer+0x275/0x3c0 [ 76.154381][ T5340] ? __pfx_i2c_smbus_xfer+0x10/0x10 [ 76.156745][ T5340] i2cdev_ioctl_smbus+0x1cd/0x750 [ 76.159059][ T5340] ? __pfx_i2cdev_ioctl_smbus+0x10/0x10 [ 76.161494][ T5340] i2cdev_ioctl+0x5d3/0x820 [ 76.163630][ T5340] ? __pfx_i2cdev_ioctl+0x10/0x10 [ 76.165995][ T5340] ? __fget_files+0x2a/0x420 [ 76.168094][ T5340] ? bpf_lsm_file_ioctl+0x9/0x20 [ 76.170121][ T5340] ? __pfx_i2cdev_ioctl+0x10/0x10 [ 76.172208][ T5340] __se_sys_ioctl+0xfc/0x170 [ 76.174197][ T5340] do_syscall_64+0xfa/0xf80 [ 76.176043][ T5340] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.178706][ T5340] ? clear_bhb_loop+0x60/0xb0 [ 76.180755][ T5340] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.183552][ T5340] RIP: 0033:0x7f8a6938f7c9 [ 76.185611][ T5340] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.193817][ T5340] RSP: 002b:00007f8a6a23f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 76.197639][ T5340] RAX: ffffffffffffffda RBX: 00007f8a695e6090 RCX: 00007f8a6938f7c9 [ 76.201369][ T5340] RDX: 00002000000000c0 RSI: 0000000000000720 RDI: 0000000000000007 [ 76.204898][ T5340] RBP: 00007f8a69413f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.208289][ T5340] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.211610][ T5340] R13: 00007f8a695e6128 R14: 00007f8a695e6090 R15: 00007ffc5562a548 [ 76.214956][ T5340] [ 76.216733][ T5340] Kernel Offset: disabled [ 76.218724][ T5340] Rebooting in 86400 seconds..