program: r0 = syz_usb_connect(0x3, 0x3c, &(0x7f0000000380)=ANY=[@ANYBLOB="120101000814c910be0632a2f333010203010902120001000000000904"], 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'macvlan0\x00', 0x0}) sendmsg$nl_route(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000001140)={&(0x7f0000000040)=ANY=[@ANYBLOB="680000001000030500"/20, @ANYRES32=0x0, @ANYBLOB="0000000000000000400012800c0001006d6163766c616e00300002800800010010000000100005800a000400aaaaaaaaaabb000008000300030000000a000400aaaaaaaab1aa000008000500", @ANYRES32=r3], 0x68}}, 0x0) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0), 0x40081, 0x0) r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) r6 = syz_kvm_setup_syzos_vm$x86(r5, &(0x7f0000a98000/0x400000)=nil) ioctl$KVM_CAP_SPLIT_IRQCHIP(r5, 0x4068aea3, &(0x7f0000000140)={0x79, 0x0, 0x334}) r7 = syz_kvm_add_vcpu$x86(r6, &(0x7f00000000c0)={0x0, 0x0}) ioctl$KVM_SET_SREGS(r7, 0x4138ae84, &(0x7f0000000800)={{0x30000, 0xd000, 0x4, 0x0, 0xa, 0xee, 0x11, 0xfe, 0x0, 0x0, 0x8, 0xeb}, {0x80a0000, 0xeeef0000, 0xa, 0x7, 0x5, 0x7, 0x4, 0x14, 0x0, 0x5, 0x8, 0x3}, {0x5000, 0x58000, 0xb, 0xc, 0x26, 0x8, 0x81, 0x5, 0x80, 0x4, 0x1, 0x70}, {0xdddd0000, 0x10000, 0xc, 0xfe, 0x3, 0x5, 0xc3, 0xfb, 0x0, 0x2, 0x5, 0xe}, {0xb000, 0x80a0000, 0x10, 0x3, 0xc, 0x9, 0x6, 0x7, 0x5, 0x6, 0x28, 0xbc}, {0x4, 0x10000, 0x9, 0xb9, 0x3, 0x5, 0x42, 0x7, 0xb0, 0x1, 0xff, 0x10}, {0x8080000, 0x0, 0xe, 0x1, 0xc, 0x8, 0x2, 0x62, 0xe4, 0x1, 0x14, 0x5}, {0x1, 0xeeee0000, 0x0, 0x6, 0xc, 0xc, 0x9, 0x9, 0x9, 0x8, 0xc3, 0x3}, {0xffffffff, 0x5}, {0x4000, 0xe}, 0x40000000, 0x0, 0xeeef0002, 0x200, 0x9, 0x0, 0xeeee0c00, [0x1, 0x1004, 0x5, 0x9]}) ioctl$KVM_SET_MSRS(r7, 0x4008ae89, &(0x7f0000000380)={0x1, 0x0, [{0x833, 0x0, 0x4e5b}]}) r8 = socket$nl_route(0x10, 0x3, 0x0) r9 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$sock_SIOCGIFINDEX(r9, 0x8933, &(0x7f0000000000)={'macvlan0\x00', 0x0}) sendmsg$nl_route(r8, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000001140)={&(0x7f0000000040)=@newlink={0x58, 0x10, 0x503, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x30, 0x12, 0x0, 0x1, @macvlan={{0xc}, {0x20, 0x2, 0x0, 0x1, [@IFLA_MACVLAN_MODE={0x8, 0x1, 0x10}, @IFLA_MACVLAN_MACADDR_MODE={0x8}, @IFLA_MACVLAN_MACADDR={0xa, 0x4, @remote}]}}}, @IFLA_LINK={0x8, 0x5, r10}]}, 0x58}}, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) syz_usb_control_io$printer(r0, 0x0, 0x0) r11 = syz_open_dev$I2C(&(0x7f00000000c0), 0xc, 0x88000) syz_usb_control_io$hid(r0, 0x0, 0x0) syz_usb_control_io$hid(r0, 0x0, &(0x7f0000000600)={0x2c, &(0x7f0000000000)=ANY=[], 0x0, 0x0, 0x0, 0x0}) ioctl$I2C_SMBUS(r11, 0x720, &(0x7f0000000140)={0x1, 0x9, 0x1, &(0x7f0000000040)={0x1c, "3ac071ffbc4c9a2169398df0f558125211b40d6539c50000000000001800000001"}}) [ 102.993562][ T4670] Bluetooth: hci0: command tx timeout [ 103.301752][ T1232] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 103.451798][ T1232] usb 5-1: Using ep0 maxpacket: 16 [ 103.461768][ T1232] usb 5-1: New USB device found, idVendor=06be, idProduct=a232, bcdDevice=33.f3 [ 103.466160][ T1232] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 103.469796][ T1232] usb 5-1: Product: syz [ 103.472975][ T1232] usb 5-1: Manufacturer: syz [ 103.475587][ T1232] usb 5-1: SerialNumber: syz [ 103.488868][ T1232] usb 5-1: config 0 descriptor?? [ 104.040641][ T1232] dvb-usb: found a 'AME DTV-5100 USB2.0 DVB-T' in warm state. [ 104.060174][ T1232] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer. [ 104.069477][ T1232] dvbdev: DVB: registering new adapter (AME DTV-5100 USB2.0 DVB-T) [ 104.074900][ T1232] usb 5-1: media controller created [ 104.094879][ T1232] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered. [ 104.246435][ T1232] zl10353_read_register: readreg error (reg=127, ret==0) [ 104.249758][ T1232] dvb-usb: no frontend was attached by 'AME DTV-5100 USB2.0 DVB-T' [ 104.254795][ T1232] dvb-usb: AME DTV-5100 USB2.0 DVB-T successfully initialized and connected. [ 104.611970][ T5333] ------------[ cut here ]------------ [ 104.615028][ T5333] usb 5-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0 [ 104.618611][ T5333] WARNING: drivers/usb/core/urb.c:413 at usb_submit_urb+0x1053/0x18b0, CPU#0: syz.0.0/5333 [ 104.623924][ T5333] Modules linked in: [ 104.626378][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 104.630331][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 104.635470][ T5333] RIP: 0010:usb_submit_urb+0x1115/0x18b0 [ 104.638486][ T5333] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9 [ 104.647457][ T5333] RSP: 0018:ffffc9000cc67688 EFLAGS: 00010246 [ 104.650783][ T5333] RAX: 0000000000000000 RBX: ffff888032c4cd00 RCX: 0000000080000280 [ 104.655508][ T5333] RDX: ffff88803e2dfd20 RSI: ffffffff8c7f35e0 RDI: ffffffff901f16d0 [ 104.659449][ T5333] RBP: 1ffff1100b664800 R08: 00000000000000c0 R09: 0000000000000000 [ 104.663231][ T5333] R10: ffffc9000cc67780 R11: fffff5200198cefc R12: ffff88801bfeb100 [ 104.667149][ T5333] R13: ffff88805b324000 R14: 0000000080000280 R15: ffff88803e2dfd20 [ 104.671020][ T5333] FS: 00007f99628406c0(0000) GS:ffff88808ca51000(0000) knlGS:0000000000000000 [ 104.676797][ T5333] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 104.680869][ T5333] CR2: 00007f996283fff8 CR3: 000000001248a000 CR4: 0000000000352ef0 [ 104.684864][ T5333] Call Trace: [ 104.686654][ T5333] [ 104.688167][ T5333] ? __init_swait_queue_head+0xa9/0x150 [ 104.690912][ T5333] usb_start_wait_urb+0x13f/0x5b0 [ 104.693593][ T5333] ? __pfx_usb_start_wait_urb+0x10/0x10 [ 104.696322][ T5333] usb_control_msg+0x234/0x3e0 [ 104.698633][ T5333] dtv5100_i2c_msg+0x231/0x2f0 [ 104.700907][ T5333] dtv5100_i2c_xfer+0x1a4/0x3c0 [ 104.703080][ T5333] ? __bfs+0x153/0x290 [ 104.704764][ T5333] __i2c_transfer+0x79a/0x2020 [ 104.706909][ T5333] __i2c_smbus_xfer+0xfca/0x1f70 [ 104.709229][ T5333] ? __pfx___i2c_smbus_xfer+0x10/0x10 [ 104.711455][ T5333] ? lockdep_hardirqs_on+0x7a/0x110 [ 104.714133][ T5333] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 104.716478][ T5333] ? rt_mutex_lock_nested+0x15c/0x1e0 [ 104.718646][ T5333] i2c_smbus_xfer+0x1f4/0x310 [ 104.721125][ T5333] i2cdev_ioctl_smbus+0x434/0x730 [ 104.723663][ T5333] ? __pfx_i2cdev_ioctl_smbus+0x10/0x10 [ 104.726277][ T5333] i2cdev_ioctl+0x615/0x880 [ 104.728426][ T5333] ? __pfx_i2cdev_ioctl+0x10/0x10 [ 104.730854][ T5333] ? __fget_files+0x2a/0x420 [ 104.733410][ T5333] ? __fget_files+0x3a0/0x420 [ 104.735532][ T5333] ? bpf_lsm_file_ioctl+0x9/0x20 [ 104.737879][ T5333] ? __pfx_i2cdev_ioctl+0x10/0x10 [ 104.740265][ T5333] __se_sys_ioctl+0xfc/0x170 [ 104.742458][ T5333] do_syscall_64+0x14d/0xf80 [ 104.744705][ T5333] ? trace_irq_disable+0x3b/0x150 [ 104.747123][ T5333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 104.749951][ T5333] ? clear_bhb_loop+0x40/0x90 [ 104.752167][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 104.754514][ T5333] RIP: 0033:0x7f996199c799 [ 104.756470][ T5333] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 104.766644][ T5333] RSP: 002b:00007f996283ffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 104.770537][ T5333] RAX: ffffffffffffffda RBX: 00007f9961c16090 RCX: 00007f996199c799 [ 104.774200][ T5333] RDX: 0000200000000140 RSI: 0000000000000720 RDI: 000000000000000b [ 104.777820][ T5333] RBP: 00007f9961a32c99 R08: 0000000000000000 R09: 0000000000000000 [ 104.781824][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 104.785198][ T5333] R13: 00007f9961c16128 R14: 00007f9961c16090 R15: 00007ffea9cf1f68 [ 104.788654][ T5333] [ 104.790103][ T5333] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 104.793572][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 104.798001][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 104.802219][ T5333] Call Trace: [ 104.803840][ T5333] [ 104.805303][ T5333] vpanic+0x56c/0xa60 [ 104.807506][ T5333] ? __pfx__printk+0x10/0x10 [ 104.810205][ T5333] ? __pfx_vpanic+0x10/0x10 [ 104.812352][ T5333] ? is_bpf_text_address+0x292/0x2b0 [ 104.814711][ T5333] ? is_bpf_text_address+0x26/0x2b0 [ 104.817020][ T5333] panic+0xc5/0xd0 [ 104.818682][ T5333] ? __pfx_panic+0x10/0x10 [ 104.821080][ T5333] __warn+0x315/0x4f0 [ 104.823349][ T5333] ? usb_submit_urb+0x1053/0x18b0 [ 104.826004][ T5333] ? usb_submit_urb+0x1053/0x18b0 [ 104.828682][ T5333] __report_bug+0x29a/0x540 [ 104.830849][ T5333] ? usb_submit_urb+0x1053/0x18b0 [ 104.833238][ T5333] ? __pfx___report_bug+0x10/0x10 [ 104.835793][ T5333] ? lockdep_hardirqs_on+0x7a/0x110 [ 104.838501][ T5333] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 104.841597][ T5333] report_bug_entry+0x19a/0x290 [ 104.844213][ T5333] ? usb_submit_urb+0x1115/0x18b0 [ 104.846544][ T5333] ? usb_submit_urb+0x111a/0x18b0 [ 104.848902][ T5333] handle_bug+0xce/0x200 [ 104.850975][ T5333] exc_invalid_op+0x1a/0x50 [ 104.853332][ T5333] asm_exc_invalid_op+0x1a/0x20 [ 104.856151][ T5333] RIP: 0010:usb_submit_urb+0x1115/0x18b0 [ 104.859058][ T5333] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9 [ 104.868012][ T5333] RSP: 0018:ffffc9000cc67688 EFLAGS: 00010246 [ 104.871612][ T5333] RAX: 0000000000000000 RBX: ffff888032c4cd00 RCX: 0000000080000280 [ 104.875557][ T5333] RDX: ffff88803e2dfd20 RSI: ffffffff8c7f35e0 RDI: ffffffff901f16d0 [ 104.879272][ T5333] RBP: 1ffff1100b664800 R08: 00000000000000c0 R09: 0000000000000000 [ 104.883278][ T5333] R10: ffffc9000cc67780 R11: fffff5200198cefc R12: ffff88801bfeb100 [ 104.888034][ T5333] R13: ffff88805b324000 R14: 0000000080000280 R15: ffff88803e2dfd20 [ 104.891791][ T5333] ? usb_submit_urb+0x10a4/0x18b0 [ 104.893986][ T5333] ? __init_swait_queue_head+0xa9/0x150 [ 104.896464][ T5333] usb_start_wait_urb+0x13f/0x5b0 [ 104.898938][ T5333] ? __pfx_usb_start_wait_urb+0x10/0x10 [ 104.901711][ T5333] usb_control_msg+0x234/0x3e0 [ 104.904234][ T5333] dtv5100_i2c_msg+0x231/0x2f0 [ 104.906400][ T5333] dtv5100_i2c_xfer+0x1a4/0x3c0 [ 104.908445][ T5333] ? __bfs+0x153/0x290 [ 104.910254][ T5333] __i2c_transfer+0x79a/0x2020 [ 104.912617][ T5333] __i2c_smbus_xfer+0xfca/0x1f70 [ 104.915223][ T5333] ? __pfx___i2c_smbus_xfer+0x10/0x10 [ 104.917712][ T5333] ? lockdep_hardirqs_on+0x7a/0x110 [ 104.919830][ T5333] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 104.922310][ T5333] ? rt_mutex_lock_nested+0x15c/0x1e0 [ 104.924563][ T5333] i2c_smbus_xfer+0x1f4/0x310 [ 104.926897][ T5333] i2cdev_ioctl_smbus+0x434/0x730 [ 104.929552][ T5333] ? __pfx_i2cdev_ioctl_smbus+0x10/0x10 [ 104.932210][ T5333] i2cdev_ioctl+0x615/0x880 [ 104.935098][ T5333] ? __pfx_i2cdev_ioctl+0x10/0x10 [ 104.937424][ T5333] ? __fget_files+0x2a/0x420 [ 104.939735][ T5333] ? __fget_files+0x3a0/0x420 [ 104.942056][ T5333] ? bpf_lsm_file_ioctl+0x9/0x20 [ 104.944803][ T5333] ? __pfx_i2cdev_ioctl+0x10/0x10 [ 104.947806][ T5333] __se_sys_ioctl+0xfc/0x170 [ 104.950057][ T5333] do_syscall_64+0x14d/0xf80 [ 104.952295][ T5333] ? trace_irq_disable+0x3b/0x150 [ 104.954541][ T5333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 104.957371][ T5333] ? clear_bhb_loop+0x40/0x90 [ 104.959729][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 104.962670][ T5333] RIP: 0033:0x7f996199c799 [ 104.964900][ T5333] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 104.974069][ T5333] RSP: 002b:00007f996283ffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 104.978350][ T5333] RAX: ffffffffffffffda RBX: 00007f9961c16090 RCX: 00007f996199c799 [ 104.981992][ T5333] RDX: 0000200000000140 RSI: 0000000000000720 RDI: 000000000000000b [ 104.985446][ T5333] RBP: 00007f9961a32c99 R08: 0000000000000000 R09: 0000000000000000 [ 104.988896][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 104.992727][ T5333] R13: 00007f9961c16128 R14: 00007f9961c16090 R15: 00007ffea9cf1f68 [ 104.997431][ T5333] [ 104.999375][ T5333] Kernel Offset: disabled [ 105.001437][ T5333] Rebooting in 86400 seconds..