program:
r0 = syz_usb_connect(0x5, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="120100024286bd10b00d815522f90102030109021200019ddb10010904"], 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000340)={0x24, 0x0, &(0x7f0000000180)={0x0, 0x3, 0x2, @string={0x2}}, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$I2C(&(0x7f00000000c0), 0xc, 0x88000)
read(r1, 0x0, 0x0)

[  103.984140][ T5309] Bluetooth: hci0: command tx timeout
[  104.473015][    T9] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[  104.622607][    T9] usb 5-1: Using ep0 maxpacket: 16
[  104.631336][    T9] usb 5-1: New USB device found, idVendor=0db0, idProduct=5581, bcdDevice=f9.22
[  104.639410][    T9] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  104.660832][    T9] usb 5-1: Product: syz
[  104.668229][    T9] usb 5-1: Manufacturer: syz
[  104.671899][    T9] usb 5-1: SerialNumber: syz
[  104.918496][    T9] usb 5-1: dvb_usb_v2: found a 'MSI Mega Sky 55801 DVB-T USB2.0' in warm state
[  104.961423][    T9] usb 5-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer
[  104.987073][    T9] dvbdev: DVB: registering new adapter (MSI Mega Sky 55801 DVB-T USB2.0)
[  105.002232][    T9] usb 5-1: media controller created
[  105.029507][    T9] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
[  105.124338][ T5330] ------------[ cut here ]------------
[  105.126943][ T5330] usb 5-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
[  105.141626][ T5330] WARNING: drivers/usb/core/urb.c:413 at usb_submit_urb+0x1053/0x18b0, CPU#0: syz.0.0/5330
[  105.162019][ T5330] Modules linked in:
[  105.164765][ T5330] CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  105.168881][ T5330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  105.173786][ T5330] RIP: 0010:usb_submit_urb+0x1115/0x18b0
[  105.176635][ T5330] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9
[  105.196509][ T5330] RSP: 0018:ffffc9000e457708 EFLAGS: 00010246
[  105.211067][ T5330] RAX: 0000000000000000 RBX: ffff88803139c900 RCX: 0000000080000280
[  105.215767][ T5330] RDX: ffff888011ceeb20 RSI: ffffffff8c7f38c0 RDI: ffffffff901f2330
[  105.229492][ T5330] RBP: 1ffff1100239dcb0 R08: 00000000000000c0 R09: 0000000000000000
[  105.233259][ T5330] R10: ffffc9000e457800 R11: fffff52001c8af0c R12: ffff888012898100
[  105.250302][ T5330] R13: ffff888011cee580 R14: 0000000080000280 R15: ffff888011ceeb20
[  105.254928][ T5330] FS:  00007fea271156c0(0000) GS:ffff88808ca4e000(0000) knlGS:0000000000000000
[  105.269119][ T5330] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  105.272948][ T5330] CR2: 00005639a4ec6480 CR3: 000000001f426000 CR4: 0000000000352ef0
[  105.276973][ T5330] Call Trace:
[  105.278563][ T5330]  <TASK>
[  105.285465][ T5330]  ? __init_swait_queue_head+0xa9/0x150
[  105.287916][ T5330]  usb_start_wait_urb+0x13f/0x5b0
[  105.300650][ T5330]  ? __pfx_usb_start_wait_urb+0x10/0x10
[  105.303686][ T5330]  usb_control_msg+0x234/0x3e0
[  105.306215][ T5330]  gl861_ctrl_msg+0x207/0x420
[  105.308426][ T5330]  ? __pfx_gl861_ctrl_msg+0x10/0x10
[  105.323586][ T5330]  gl861_i2c_master_xfer+0x439/0x6a0
[  105.326190][ T5330]  __i2c_transfer+0x79a/0x2020
[  105.329024][ T5330]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[  105.332065][ T5330]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.341667][ T5330]  ? i2c_transfer+0xc8/0x2d0
[  105.344302][ T5330]  i2c_transfer+0x1cc/0x2d0
[  105.360962][ T5330]  i2c_transfer_buffer_flags+0x10d/0x1a0
[  105.364387][ T5330]  ? __pfx_i2c_transfer_buffer_flags+0x10/0x10
[  105.367174][ T5330]  ? i2cdev_read+0xe8/0x250
[  105.390930][ T5330]  i2cdev_read+0x10d/0x250
[  105.392942][ T5330]  ? __pfx_i2cdev_read+0x10/0x10
[  105.395949][ T5330]  vfs_read+0x20c/0xa70
[  105.398141][ T5330]  ? __pfx_vfs_read+0x10/0x10
[  105.409647][ T5330]  ? __fget_files+0x2a/0x420
[  105.416059][ T5330]  ? __fget_files+0x2a/0x420
[  105.420973][ T5330]  ? __fget_files+0x3a0/0x420
[  105.426167][ T5330]  ? __fget_files+0x2a/0x420
[  105.430902][ T5330]  ksys_read+0x150/0x270
[  105.434718][ T5330]  ? __pfx_ksys_read+0x10/0x10
[  105.445230][ T5330]  do_syscall_64+0x14d/0xf80
[  105.447425][ T5330]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.457718][ T5330]  ? clear_bhb_loop+0x40/0x90
[  105.466310][ T5330]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.475467][ T5330] RIP: 0033:0x7fea2619c799
[  105.477415][ T5330] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  105.496595][ T5330] RSP: 002b:00007fea27114fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  105.500509][ T5330] RAX: ffffffffffffffda RBX: 00007fea26415fa0 RCX: 00007fea2619c799
[  105.514921][ T5330] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[  105.518311][ T5330] RBP: 00007fea26232c99 R08: 0000000000000000 R09: 0000000000000000
[  105.532586][ T5330] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  105.557530][ T5330] R13: 00007fea26416038 R14: 00007fea26415fa0 R15: 00007fff96214b38
[  105.561793][ T5330]  </TASK>
[  105.563579][ T5330] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  105.578464][ T5330] CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  105.582954][ T5330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  105.604378][ T5330] Call Trace:
[  105.606358][ T5330]  <TASK>
[  105.607826][ T5330]  vpanic+0x56c/0xa60
[  105.609716][ T5330]  ? __pfx__printk+0x10/0x10
[  105.611952][ T5330]  ? __pfx_vpanic+0x10/0x10
[  105.613960][ T5330]  ? is_bpf_text_address+0x292/0x2b0
[  105.616231][ T5330]  ? is_bpf_text_address+0x26/0x2b0
[  105.618501][ T5330]  panic+0xc5/0xd0
[  105.629568][ T5330]  ? __pfx_panic+0x10/0x10
[  105.631710][ T5330]  __warn+0x315/0x4f0
[  105.634367][ T5330]  ? usb_submit_urb+0x1053/0x18b0
[  105.650274][ T5330]  ? usb_submit_urb+0x1053/0x18b0
[  105.652889][ T5330]  __report_bug+0x29a/0x540
[  105.655323][ T5330]  ? usb_submit_urb+0x1053/0x18b0
[  105.657811][ T5330]  ? __pfx___report_bug+0x10/0x10
[  105.679752][ T5330]  ? lockdep_hardirqs_on+0x7a/0x110
[  105.682431][ T5330]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.685867][ T5330]  report_bug_entry+0x19a/0x290
[  105.688140][ T5330]  ? usb_submit_urb+0x1115/0x18b0
[  105.702804][ T5330]  ? usb_submit_urb+0x111a/0x18b0
[  105.705289][ T5330]  handle_bug+0xce/0x200
[  105.707837][ T5330]  exc_invalid_op+0x1a/0x50
[  105.721938][ T5330]  asm_exc_invalid_op+0x1a/0x20
[  105.724242][ T5330] RIP: 0010:usb_submit_urb+0x1115/0x18b0
[  105.726823][ T5330] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9
[  105.758367][ T5330] RSP: 0018:ffffc9000e457708 EFLAGS: 00010246
[  105.763720][ T5330] RAX: 0000000000000000 RBX: ffff88803139c900 RCX: 0000000080000280
[  105.767084][ T5330] RDX: ffff888011ceeb20 RSI: ffffffff8c7f38c0 RDI: ffffffff901f2330
[  105.785096][ T5330] RBP: 1ffff1100239dcb0 R08: 00000000000000c0 R09: 0000000000000000
[  105.798227][ T5330] R10: ffffc9000e457800 R11: fffff52001c8af0c R12: ffff888012898100
[  105.811757][ T5330] R13: ffff888011cee580 R14: 0000000080000280 R15: ffff888011ceeb20
[  105.826736][ T5330]  ? usb_submit_urb+0x10a4/0x18b0
[  105.836239][ T5330]  ? __init_swait_queue_head+0xa9/0x150
[  105.843992][ T5330]  usb_start_wait_urb+0x13f/0x5b0
[  105.851762][ T5330]  ? __pfx_usb_start_wait_urb+0x10/0x10
[  105.862135][ T5330]  usb_control_msg+0x234/0x3e0
[  105.866493][ T5330]  gl861_ctrl_msg+0x207/0x420
[  105.872389][ T5330]  ? __pfx_gl861_ctrl_msg+0x10/0x10
[  105.876992][ T5330]  gl861_i2c_master_xfer+0x439/0x6a0
[  105.880469][ T5330]  __i2c_transfer+0x79a/0x2020
[  105.887777][ T5330]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[  105.902619][ T5330]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.922186][ T5330]  ? i2c_transfer+0xc8/0x2d0
[  105.924157][ T5330]  i2c_transfer+0x1cc/0x2d0
[  105.934325][ T5330]  i2c_transfer_buffer_flags+0x10d/0x1a0
[  105.942572][ T5330]  ? __pfx_i2c_transfer_buffer_flags+0x10/0x10
[  105.953645][ T5330]  ? i2cdev_read+0xe8/0x250
[  105.959714][ T5330]  i2cdev_read+0x10d/0x250
[  105.965905][ T5330]  ? __pfx_i2cdev_read+0x10/0x10
[  105.974182][ T5330]  vfs_read+0x20c/0xa70
[  105.978082][ T5330]  ? __pfx_vfs_read+0x10/0x10
[  105.983817][ T5330]  ? __fget_files+0x2a/0x420
[  105.991157][ T5330]  ? __fget_files+0x2a/0x420
[  105.993892][ T5330]  ? __fget_files+0x3a0/0x420
[  105.996601][ T5330]  ? __fget_files+0x2a/0x420
[  105.998745][ T5330]  ksys_read+0x150/0x270
[  106.017311][ T5330]  ? __pfx_ksys_read+0x10/0x10
[  106.027335][ T5330]  do_syscall_64+0x14d/0xf80
[  106.034202][ T5330]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  106.036911][ T5330]  ? clear_bhb_loop+0x40/0x90
[  106.048326][ T5330]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  106.052914][ T5330] RIP: 0033:0x7fea2619c799
[  106.054943][ T5330] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  106.080017][ T5330] RSP: 002b:00007fea27114fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  106.087533][ T5330] RAX: ffffffffffffffda RBX: 00007fea26415fa0 RCX: 00007fea2619c799
[  106.091834][ T5330] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[  106.095708][ T5330] RBP: 00007fea26232c99 R08: 0000000000000000 R09: 0000000000000000
[  106.099273][ T5330] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  106.103676][ T5330] R13: 00007fea26416038 R14: 00007fea26415fa0 R15: 00007fff96214b38
[  106.109395][ T5330]  </TASK>
[  106.111275][ T5330] Kernel Offset: disabled
[  106.113315][ T5330] Rebooting in 86400 seconds..