Extracting prog: 4m7.652417058s
Minimizing prog: 12m28.214132196s
Simplifying prog options: 0s
Extracting C: 39.531790141s
Simplifying C: 9m43.228401663s
extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)
program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, 0x0, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB], 0x0)
program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
validation run: crashed=true
reproducing took 31m51.450298893s
repro crashed as (corrupted=false):
rc rc0: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.0/rc/rc0
input: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.0/rc/rc0/input6
------------[ cut here ]------------
usb 1-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 60
WARNING: drivers/usb/core/urb.c:413 at usb_submit_urb+0x1074/0x18c0 drivers/usb/core/urb.c:411, CPU#1: kworker/1:4/5691
Modules linked in:
CPU: 1 UID: 0 PID: 5691 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0x1122/0x18c0 drivers/usb/core/urb.c:411
Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 b4 f2 ff ff 89 e9
RSP: 0018:ffffc90004e56d48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888034eac500 RCX: 0000000080000380
RDX: ffff88802a9dac80 RSI: ffffffff8bf2e0c0 RDI: ffffffff8fba9200
RBP: 1ffff1100733210a R08: 0000000000000060 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f5be9f R12: ffff888039ff2100
R13: ffff888039990850 R14: 0000000080000380 R15: ffff88802a9dac80
FS: 0000000000000000(0000) GS:ffff888125d94000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1c0cfd3e9c CR3: 0000000036296000 CR4: 00000000003526f0
Call Trace:
igorplugusb_cmd drivers/media/rc/igorplugusb.c:127 [inline]
igorplugusb_probe+0x812/0xc70 drivers/media/rc/igorplugusb.c:225
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:707
__driver_probe_device+0x1e2/0x350 drivers/base/dd.c:869
driver_probe_device+0x4f/0x240 drivers/base/dd.c:899
__device_attach_driver+0x270/0x410 drivers/base/dd.c:1027
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1099
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1154
bus_probe_device+0x12d/0x220 drivers/base/bus.c:620
device_add+0x7ec/0xb90 drivers/base/core.c:3702
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:707
__driver_probe_device+0x1e2/0x350 drivers/base/dd.c:869
driver_probe_device+0x4f/0x240 drivers/base/dd.c:899
__device_attach_driver+0x270/0x410 drivers/base/dd.c:1027
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1099
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1154
bus_probe_device+0x12d/0x220 drivers/base/bus.c:620
device_add+0x7ec/0xb90 drivers/base/core.c:3702
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x98b/0x1630 kernel/workqueue.c:3318
process_scheduled_works kernel/workqueue.c:3401 [inline]
worker_thread+0xb49/0x1140 kernel/workqueue.c:3482
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 fc add %bh,%ah
6: ff lcall (bad)
7: df 0f fisttps (%rdi)
9: b6 44 mov $0x44,%dh
b: 05 00 84 c0 0f add $0xfc08400,%eax
10: 85 91 05 00 00 45 test %edx,0x45000005(%rcx)
16: 0f b6 45 00 movzbl 0x0(%rbp),%eax
1a: 48 8b 7c 24 18 mov 0x18(%rsp),%rdi
1f: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
24: 4c 89 fa mov %r15,%rdx
27: 44 89 f1 mov %r14d,%ecx
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
36: fc ff df
39: e9 b4 f2 ff ff jmp 0xfffff2f2
3e: 89 e9 mov %ebp,%ecx
final repro crashed as (corrupted=false):
rc rc0: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.0/rc/rc0
input: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.0/usb1/1-1/1-1:0.0/rc/rc0/input6
------------[ cut here ]------------
usb 1-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 60
WARNING: drivers/usb/core/urb.c:413 at usb_submit_urb+0x1074/0x18c0 drivers/usb/core/urb.c:411, CPU#1: kworker/1:4/5691
Modules linked in:
CPU: 1 UID: 0 PID: 5691 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0x1122/0x18c0 drivers/usb/core/urb.c:411
Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 b4 f2 ff ff 89 e9
RSP: 0018:ffffc90004e56d48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888034eac500 RCX: 0000000080000380
RDX: ffff88802a9dac80 RSI: ffffffff8bf2e0c0 RDI: ffffffff8fba9200
RBP: 1ffff1100733210a R08: 0000000000000060 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f5be9f R12: ffff888039ff2100
R13: ffff888039990850 R14: 0000000080000380 R15: ffff88802a9dac80
FS: 0000000000000000(0000) GS:ffff888125d94000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1c0cfd3e9c CR3: 0000000036296000 CR4: 00000000003526f0
Call Trace:
igorplugusb_cmd drivers/media/rc/igorplugusb.c:127 [inline]
igorplugusb_probe+0x812/0xc70 drivers/media/rc/igorplugusb.c:225
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:707
__driver_probe_device+0x1e2/0x350 drivers/base/dd.c:869
driver_probe_device+0x4f/0x240 drivers/base/dd.c:899
__device_attach_driver+0x270/0x410 drivers/base/dd.c:1027
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1099
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1154
bus_probe_device+0x12d/0x220 drivers/base/bus.c:620
device_add+0x7ec/0xb90 drivers/base/core.c:3702
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:707
__driver_probe_device+0x1e2/0x350 drivers/base/dd.c:869
driver_probe_device+0x4f/0x240 drivers/base/dd.c:899
__device_attach_driver+0x270/0x410 drivers/base/dd.c:1027
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1099
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1154
bus_probe_device+0x12d/0x220 drivers/base/bus.c:620
device_add+0x7ec/0xb90 drivers/base/core.c:3702
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x98b/0x1630 kernel/workqueue.c:3318
process_scheduled_works kernel/workqueue.c:3401 [inline]
worker_thread+0xb49/0x1140 kernel/workqueue.c:3482
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 00 fc add %bh,%ah
6: ff lcall (bad)
7: df 0f fisttps (%rdi)
9: b6 44 mov $0x44,%dh
b: 05 00 84 c0 0f add $0xfc08400,%eax
10: 85 91 05 00 00 45 test %edx,0x45000005(%rcx)
16: 0f b6 45 00 movzbl 0x0(%rbp),%eax
1a: 48 8b 7c 24 18 mov 0x18(%rsp),%rdi
1f: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
24: 4c 89 fa mov %r15,%rdx
27: 44 89 f1 mov %r14d,%ecx
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
36: fc ff df
39: e9 b4 f2 ff ff jmp 0xfffff2f2
3e: 89 e9 mov %ebp,%ecx