Extracting prog: 3m17.563397905s
Minimizing prog: 12m54.809407387s
Simplifying prog options: 0s
Extracting C: 2m21.21730603s
Simplifying C: 7m2.819753788s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)

program crashed: WARNING in igorplugusb_probe/usb_submit_urb
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB], 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: WARNING in igorplugusb_probe/usb_submit_urb
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)

program crashed: WARNING in igorplugusb_probe/usb_submit_urb
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)

program crashed: WARNING in igorplugusb_probe/usb_submit_urb
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)

program crashed: WARNING in igorplugusb_probe/usb_submit_urb
validation run: crashed=true
reproducing took 29m32.299069714s
repro crashed as (corrupted=false):
rc rc0: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.3/usb4/4-1/4-1:0.0/rc/rc0
input: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.3/usb4/4-1/4-1:0.0/rc/rc0/input11
------------[ cut here ]------------
usb 4-1: BOGUS control dir, pipe 80000880 doesn't match bRequestType 60
WARNING: drivers/usb/core/urb.c:411 at usb_submit_urb+0x1573/0x1910 drivers/usb/core/urb.c:411, CPU#1: kworker/1:2/2686
Modules linked in:
CPU: 1 UID: 0 PID: 2686 Comm: kworker/1:2 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0x157e/0x1910 drivers/usb/core/urb.c:411
Code: d2 74 5d 48 89 54 24 40 e8 8f 11 c5 fc 4c 89 ef e8 f7 f9 d5 fe 48 89 c6 48 8d 3d 6d 5c 09 06 48 8b 54 24 40 45 89 f8 44 89 f1 <67> 48 0f b9 3a e9 c7 ed ff ff e8 63 11 c5 fc 89 ee bf ff 00 00 00
RSP: 0018:ffffc90006c3efa0 EFLAGS: 00010293
RAX: ffffffff88141de0 RBX: ffff888116206000 RCX: 0000000080000880
RDX: ffff8881046ee740 RSI: ffffffff88141de0 RDI: ffffffff8af71930
RBP: ffff8881202a5058 R08: 0000000000000060 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88811bb23e50
R13: ffff8881202a50b0 R14: 0000000080000880 R15: 0000000000000060
FS:  0000000000000000(0000) GS:ffff8882687a5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc4d3a2a540 CR3: 0000000117b44000 CR4: 00000000003506f0
Call Trace:
 <TASK>
 igorplugusb_cmd drivers/media/rc/igorplugusb.c:127 [inline]
 igorplugusb_probe+0xa2f/0xf90 drivers/media/rc/igorplugusb.c:225
 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953
 process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
 process_scheduled_works kernel/workqueue.c:3385 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x69a/0xc80 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	d2 74 5d 48          	shlb   %cl,0x48(%rbp,%rbx,2)
   4:	89 54 24 40          	mov    %edx,0x40(%rsp)
   8:	e8 8f 11 c5 fc       	call   0xfcc5119c
   d:	4c 89 ef             	mov    %r13,%rdi
  10:	e8 f7 f9 d5 fe       	call   0xfed5fa0c
  15:	48 89 c6             	mov    %rax,%rsi
  18:	48 8d 3d 6d 5c 09 06 	lea    0x6095c6d(%rip),%rdi        # 0x6095c8c
  1f:	48 8b 54 24 40       	mov    0x40(%rsp),%rdx
  24:	45 89 f8             	mov    %r15d,%r8d
  27:	44 89 f1             	mov    %r14d,%ecx
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	e9 c7 ed ff ff       	jmp    0xffffedfb
  34:	e8 63 11 c5 fc       	call   0xfcc5119c
  39:	89 ee                	mov    %ebp,%esi
  3b:	bf ff 00 00 00       	mov    $0xff,%edi

final repro crashed as (corrupted=false):
rc rc0: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.3/usb4/4-1/4-1:0.0/rc/rc0
input: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.3/usb4/4-1/4-1:0.0/rc/rc0/input11
------------[ cut here ]------------
usb 4-1: BOGUS control dir, pipe 80000880 doesn't match bRequestType 60
WARNING: drivers/usb/core/urb.c:411 at usb_submit_urb+0x1573/0x1910 drivers/usb/core/urb.c:411, CPU#1: kworker/1:2/2686
Modules linked in:
CPU: 1 UID: 0 PID: 2686 Comm: kworker/1:2 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0x157e/0x1910 drivers/usb/core/urb.c:411
Code: d2 74 5d 48 89 54 24 40 e8 8f 11 c5 fc 4c 89 ef e8 f7 f9 d5 fe 48 89 c6 48 8d 3d 6d 5c 09 06 48 8b 54 24 40 45 89 f8 44 89 f1 <67> 48 0f b9 3a e9 c7 ed ff ff e8 63 11 c5 fc 89 ee bf ff 00 00 00
RSP: 0018:ffffc90006c3efa0 EFLAGS: 00010293
RAX: ffffffff88141de0 RBX: ffff888116206000 RCX: 0000000080000880
RDX: ffff8881046ee740 RSI: ffffffff88141de0 RDI: ffffffff8af71930
RBP: ffff8881202a5058 R08: 0000000000000060 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88811bb23e50
R13: ffff8881202a50b0 R14: 0000000080000880 R15: 0000000000000060
FS:  0000000000000000(0000) GS:ffff8882687a5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc4d3a2a540 CR3: 0000000117b44000 CR4: 00000000003506f0
Call Trace:
 <TASK>
 igorplugusb_cmd drivers/media/rc/igorplugusb.c:127 [inline]
 igorplugusb_probe+0xa2f/0xf90 drivers/media/rc/igorplugusb.c:225
 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953
 process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
 process_scheduled_works kernel/workqueue.c:3385 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x69a/0xc80 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	d2 74 5d 48          	shlb   %cl,0x48(%rbp,%rbx,2)
   4:	89 54 24 40          	mov    %edx,0x40(%rsp)
   8:	e8 8f 11 c5 fc       	call   0xfcc5119c
   d:	4c 89 ef             	mov    %r13,%rdi
  10:	e8 f7 f9 d5 fe       	call   0xfed5fa0c
  15:	48 89 c6             	mov    %rax,%rsi
  18:	48 8d 3d 6d 5c 09 06 	lea    0x6095c6d(%rip),%rdi        # 0x6095c8c
  1f:	48 8b 54 24 40       	mov    0x40(%rsp),%rdx
  24:	45 89 f8             	mov    %r15d,%r8d
  27:	44 89 f1             	mov    %r14d,%ecx
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	e9 c7 ed ff ff       	jmp    0xffffedfb
  34:	e8 63 11 c5 fc       	call   0xfcc5119c
  39:	89 ee                	mov    %ebp,%esi
  3b:	bf ff 00 00 00       	mov    $0xff,%edi