Extracting prog: 1m58.743525205s
Minimizing prog: 10m49.030941139s
Simplifying prog options: 0s
Extracting C: 48.487573926s
Simplifying C: 8m27.37258558s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="3001000000000008ac054302400001020301090224000101000000090400000203010200092100000001220000090581f20f00000000"], 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000e80)={0x84, &(0x7f00000009c0)=ANY=[@ANYBLOB="000008000000bfc7c7abcac0b4e2"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r0, 0x0, 0x0)

program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
single: successfully extracted reproducer
found reproducer with 3 syscalls
minimizing guilty program
testing program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="3001000000000008ac054302400001020301090224000101000000090400000203010200092100000001220000090581f20f00000000"], 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000e80)={0x84, &(0x7f00000009c0)=ANY=[@ANYBLOB="000008000000bfc7c7abcac0b4e2"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

program did not crash
testing program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="3001000000000008ac054302400001020301090224000101000000090400000203010200092100000001220000090581f20f00000000"], 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)

program did not crash
testing program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
syz_usb_control_io(0xffffffffffffffff, 0x0, &(0x7f0000000e80)={0x84, &(0x7f00000009c0)=ANY=[@ANYBLOB="000008000000bfc7c7abcac0b4e2"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(0xffffffffffffffff, 0x0, 0x0)

program did not crash
testing program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000e80)={0x84, &(0x7f00000009c0)=ANY=[@ANYBLOB="000008000000bfc7c7abcac0b4e2"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r0, 0x0, 0x0)

program did not crash
testing program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB], 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000e80)={0x84, &(0x7f00000009c0)=ANY=[@ANYBLOB="000008000000bfc7c7abcac0b4e2"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r0, 0x0, 0x0)

program did not crash
testing program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="3001000000000008ac054302400001020301090224000101000000090400000203010200092100000001220000090581f20f00000000"], 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io$hid(r0, 0x0, 0x0)

program did not crash
testing program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="3001000000000008ac054302400001020301090224000101000000090400000203010200092100000001220000090581f20f00000000"], 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000e80)={0x84, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r0, 0x0, 0x0)

program did not crash
testing program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="3001000000000008ac054302400001020301090224000101000000090400000203010200092100000001220000090581f20f00000000"], 0x0)
syz_usb_control_io(r0, 0x0, &(0x7f0000000e80)={0x84, &(0x7f00000009c0)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_usb_control_io$hid(r0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=51.788383474s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
simplifying C reproducer
testing compiled C program (duration=51.788383474s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
testing compiled C program (duration=51.788383474s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
testing compiled C program (duration=51.788383474s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
testing compiled C program (duration=51.788383474s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
testing compiled C program (duration=51.788383474s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
testing compiled C program (duration=51.788383474s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
testing compiled C program (duration=51.788383474s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io$hid
program crashed: WARNING in bcm5974_start_traffic/usb_submit_urb
reproducing took 22m3.634660182s
repro crashed as (corrupted=false):
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 1 PID: 5170 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4a/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 1 UID: 0 PID: 5170 Comm: acpid Not tainted 6.15.0-rc6-syzkaller-00105-g088d13246a46 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:usb_submit_urb+0xe4a/0x1730 drivers/usb/core/urb.c:503
Code: 84 38 02 00 00 e8 e6 66 94 fa 4c 89 ef e8 9e da d6 fe 45 89 e0 89 e9 4c 89 f2 48 89 c6 48 c7 c7 80 36 51 8c e8 37 f4 53 fa 90 <0f> 0b 90 90 e9 ea f8 ff ff e8 b8 66 94 fa 49 81 c4 c8 05 00 00 e9
RSP: 0018:ffffc9000346f7c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880213f5e00 RCX: ffffffff817ad548
RDX: ffff88805a02c880 RSI: ffffffff817ad555 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
R13: ffff8881443e60b0 R14: ffff8880216cc180 R15: 0000000000000002
FS:  00007f90c140b740(0000) GS:ffff888124adf000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff06455800 CR3: 0000000030f89000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bcm5974_start_traffic drivers/input/mouse/bcm5974.c:799 [inline]
 bcm5974_start_traffic+0xb8/0x180 drivers/input/mouse/bcm5974.c:783
 bcm5974_open+0xa2/0x180 drivers/input/mouse/bcm5974.c:838
 input_open_device+0x230/0x390 drivers/input/input.c:600
 mousedev_open_device+0xe0/0x140 drivers/input/mousedev.c:430
 mousedev_open+0x2fa/0x580 drivers/input/mousedev.c:556


final repro crashed as (corrupted=false):
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 1 PID: 5170 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4a/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 1 UID: 0 PID: 5170 Comm: acpid Not tainted 6.15.0-rc6-syzkaller-00105-g088d13246a46 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:usb_submit_urb+0xe4a/0x1730 drivers/usb/core/urb.c:503
Code: 84 38 02 00 00 e8 e6 66 94 fa 4c 89 ef e8 9e da d6 fe 45 89 e0 89 e9 4c 89 f2 48 89 c6 48 c7 c7 80 36 51 8c e8 37 f4 53 fa 90 <0f> 0b 90 90 e9 ea f8 ff ff e8 b8 66 94 fa 49 81 c4 c8 05 00 00 e9
RSP: 0018:ffffc9000346f7c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880213f5e00 RCX: ffffffff817ad548
RDX: ffff88805a02c880 RSI: ffffffff817ad555 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003
R13: ffff8881443e60b0 R14: ffff8880216cc180 R15: 0000000000000002
FS:  00007f90c140b740(0000) GS:ffff888124adf000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff06455800 CR3: 0000000030f89000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bcm5974_start_traffic drivers/input/mouse/bcm5974.c:799 [inline]
 bcm5974_start_traffic+0xb8/0x180 drivers/input/mouse/bcm5974.c:783
 bcm5974_open+0xa2/0x180 drivers/input/mouse/bcm5974.c:838
 input_open_device+0x230/0x390 drivers/input/input.c:600
 mousedev_open_device+0xe0/0x140 drivers/input/mousedev.c:430
 mousedev_open+0x2fa/0x580 drivers/input/mousedev.c:556