program:
socket(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000240))
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="1400000007"], 0x50)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
write$sysctl(0xffffffffffffffff, &(0x7f0000000000)='5\x00', 0x2)
bind$bt_hci(r0, &(0x7f0000000100)={0x1f, 0xffff, 0x3}, 0x6)
write$binfmt_misc(r0, &(0x7f0000000000), 0xd)
r1 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r1, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000000)="2e00000010008188e6b62aa73772cc9f1ba1f848430000005e140602000000000e000a000f120000028000001294", 0x2e}], 0x1}, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000080)={'syz_tun\x00', <r3=>0x0})
sendmsg$nl_route_sched(r2, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000002c0)=@newqdisc={0x2c, 0x24, 0x4ee4e6a52ff56541, 0x70bd26, 0x25dfdbff, {0x0, 0x0, 0x0, r3, {}, {0xfff3, 0xffff}}, [@qdisc_kind_options=@q_mq={0x7}]}, 0x2c}}, 0x0)
r4 = socket$nl_route(0x10, 0x3, 0x0)
r5 = syz_usb_connect(0x3, 0x3c, &(0x7f0000000380)=ANY=[@ANYBLOB="120101000814c910be0632a2f333010203010902120001000000000904"], 0x0)
syz_usb_control_io$uac1(r5, 0x0, 0x0)
syz_usb_control_io$printer(r5, 0x0, 0x0)
r6 = syz_open_dev$I2C(&(0x7f00000000c0), 0xc, 0x88000)
syz_usb_control_io$hid(r5, 0x0, 0x0)
syz_usb_control_io$hid(r5, 0x0, &(0x7f0000000600)={0x2c, &(0x7f0000000000)=ANY=[], 0x0, 0x0, 0x0, 0x0})
ioctl$I2C_SMBUS(r6, 0x720, &(0x7f0000000140)={0x1, 0x7, 0x1, &(0x7f0000000100)={0x14, "3ac071ffbc8cd0d6847399bb98bcbe5b3986f0f503000000b40c65fd000500"}})
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000040)={'veth0\x00'})
sendmsg$nl_route_sched(r4, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000400)=@newtclass={0x100, 0x28, 0x404, 0x70bd2d, 0x25dfdbff, {0x0, 0x0, 0x0, r3, {0x2, 0xf}, {0x9, 0x5}, {0xfff2}}, [@tclass_kind_options=@c_red={0x8}, @TCA_RATE={0x6, 0x5, {0x3, 0x1}}, @tclass_kind_options=@c_tbf={0x8}, @tclass_kind_options=@c_hfsc={{0x9}, {0xa4, 0x2, [@TCA_HFSC_RSC={0x10, 0x1, {0x3, 0x87e}}, @TCA_HFSC_RSC={0x10, 0x1, {0x80000000, 0xfffffffd}}, @TCA_HFSC_FSC={0x10, 0x2, {0x1, 0x4, 0x7}}, @TCA_HFSC_FSC={0x10, 0x2, {0x9, 0x200, 0x1}}, @TCA_HFSC_FSC={0x10, 0x2, {0x80000000, 0x3, 0x8}}, @TCA_HFSC_FSC={0x10, 0x2, {0x9, 0x9, 0x7}}, @TCA_HFSC_RSC={0x10, 0x1, {0xfffffffb, 0x3, 0xe}}, @TCA_HFSC_RSC={0x10, 0x1, {0x9, 0xfffffffc, 0x7}}, @TCA_HFSC_RSC={0x10, 0x1, {0x4, 0x5, 0x2}}, @TCA_HFSC_USC={0x10, 0x3, {0x5, 0xb748, 0xfffffff1}}]}}, @tclass_kind_options=@c_prio={0x9}, @TCA_RATE={0x6, 0x5, {0x77, 0x1}}]}, 0x100}, 0x1, 0x0, 0x0, 0x51}, 0x0)
r7 = socket$nl_route(0x10, 0x3, 0x0)
r8 = socket$tipc(0x1e, 0x2, 0x0)
setsockopt$TIPC_GROUP_JOIN(r8, 0x10f, 0x87, &(0x7f0000000000)={0x2001}, 0x10)
r9 = socket$nl_generic(0x10, 0x3, 0x10)
r10 = syz_genetlink_get_family_id$tipc(&(0x7f00000003c0), 0xffffffffffffffff)
bind$tipc(r8, 0x0, 0x0)
sendmsg$TIPC_CMD_SHOW_NAME_TABLE(r9, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000280)={0x30, r10, 0x1, 0x0, 0x100000, {{}, {}, {0x14, 0x19, {0x2, 0x1, 0x0, 0x2000000}}}}, 0x30}, 0x1, 0x0, 0x0, 0x24000000}, 0x41010)
sendmsg$nl_route_sched(r7, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000180)=@getqdisc={0x24, 0x26, 0x705, 0x70bd2b, 0x25dfdbfd, {0x0, 0x0, 0x0, 0x0, {0x1, 0xffe0}, {0x10, 0x8}, {0xfff2, 0x7}}}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x0)

[  119.772081][   T44] Bluetooth: hci0: command tx timeout
[  119.866885][ T5338] Bluetooth: MGMT ver 1.23
[  119.890923][ T5338] netlink: 'syz.0.0': attribute type 10 has an invalid length.
[  120.162025][ T1393] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[  120.312057][ T1393] usb 5-1: Using ep0 maxpacket: 16
[  120.321110][ T1393] usb 5-1: New USB device found, idVendor=06be, idProduct=a232, bcdDevice=33.f3
[  120.326553][ T1393] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  120.330808][ T1393] usb 5-1: Product: syz
[  120.335047][ T1393] usb 5-1: Manufacturer: syz
[  120.336917][ T1393] usb 5-1: SerialNumber: syz
[  120.347545][ T1393] usb 5-1: config 0 descriptor??
[  120.758683][ T1393] dvb-usb: found a 'AME DTV-5100 USB2.0 DVB-T' in warm state.
[  120.779582][ T1393] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
[  120.785029][ T1393] dvbdev: DVB: registering new adapter (AME DTV-5100 USB2.0 DVB-T)
[  120.788794][ T1393] usb 5-1: media controller created
[  120.804635][ T1393] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
[  120.960044][ T1393] zl10353_read_register: readreg error (reg=127, ret==0)
[  120.964423][ T1393] dvb-usb: no frontend was attached by 'AME DTV-5100 USB2.0 DVB-T'
[  120.967695][ T1393] dvb-usb: AME DTV-5100 USB2.0 DVB-T successfully initialized and connected.
[  121.322160][ T5339] ------------[ cut here ]------------
[  121.324530][ T5339] usb 5-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
[  121.328486][ T5339] WARNING: drivers/usb/core/urb.c:413 at usb_submit_urb+0x1053/0x18b0, CPU#0: syz.0.0/5339
[  121.332485][ T5339] Modules linked in:
[  121.334946][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  121.338276][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  121.342074][ T5339] RIP: 0010:usb_submit_urb+0x1115/0x18b0
[  121.344310][ T5339] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9
[  121.351610][ T5339] RSP: 0018:ffffc9000f7a7688 EFLAGS: 00010246
[  121.354121][ T5339] RAX: 0000000000000000 RBX: ffff8880346a6600 RCX: 0000000080000280
[  121.356874][ T5339] RDX: ffff888041acc560 RSI: ffffffff8c80a0e0 RDI: ffffffff903e2ec0
[  121.359913][ T5339] RBP: 1ffff11008359980 R08: 00000000000000c0 R09: 0000000000000000
[  121.363276][ T5339] R10: ffffc9000f7a7780 R11: fffff52001ef4efc R12: ffff888042b66100
[  121.366251][ T5339] R13: ffff888041accc00 R14: 0000000080000280 R15: ffff888041acc560
[  121.369348][ T5339] FS:  00007f8112cfe6c0(0000) GS:ffff88808c885000(0000) knlGS:0000000000000000
[  121.372808][ T5339] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  121.375304][ T5339] CR2: 00007f8112cfdff8 CR3: 000000004451f000 CR4: 0000000000352ef0
[  121.378306][ T5339] Call Trace:
[  121.379610][ T5339]  <TASK>
[  121.380714][ T5339]  ? __init_swait_queue_head+0xa9/0x150
[  121.383028][ T5339]  usb_start_wait_urb+0x13f/0x5b0
[  121.384903][ T5339]  ? __pfx_usb_start_wait_urb+0x10/0x10
[  121.387008][ T5339]  usb_control_msg+0x234/0x3e0
[  121.388832][ T5339]  dtv5100_i2c_msg+0x231/0x2f0
[  121.390679][ T5339]  dtv5100_i2c_xfer+0x1a4/0x3c0
[  121.392722][ T5339]  __i2c_transfer+0x79a/0x1f70
[  121.394615][ T5339]  ? __lock_acquire+0x146e/0x2cf0
[  121.396614][ T5339]  __i2c_smbus_xfer+0xfca/0x1eb0
[  121.398539][ T5339]  ? __pfx___i2c_smbus_xfer+0x10/0x10
[  121.400649][ T5339]  ? lockdep_hardirqs_on+0x7a/0x110
[  121.402999][ T5339]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  121.405294][ T5339]  ? rt_mutex_lock_nested+0x15c/0x1e0
[  121.410776][ T5339]  i2c_smbus_xfer+0x1f4/0x310
[  121.413287][ T5339]  i2cdev_ioctl_smbus+0x434/0x730
[  121.415276][ T5339]  ? __pfx_i2cdev_ioctl_smbus+0x10/0x10
[  121.417540][ T5339]  i2cdev_ioctl+0x615/0x880
[  121.419454][ T5339]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  121.422337][ T5339]  ? __fget_files+0x2a/0x420
[  121.424414][ T5339]  ? __fget_files+0x3a0/0x420
[  121.426555][ T5339]  ? bpf_lsm_file_ioctl+0x9/0x20
[  121.428527][ T5339]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  121.430356][ T5339]  __se_sys_ioctl+0xfc/0x170
[  121.432219][ T5339]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  121.434465][ T5339]  do_syscall_64+0x15f/0xf80
[  121.436244][ T5339]  ? trace_irq_disable+0x3b/0x140
[  121.438296][ T5339]  ? clear_bhb_loop+0x40/0x90
[  121.440176][ T5339]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  121.442662][ T5339] RIP: 0033:0x7f8111d9cdd9
[  121.444437][ T5339] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  121.457472][ T5339] RSP: 002b:00007f8112cfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  121.460651][ T5339] RAX: ffffffffffffffda RBX: 00007f8112016090 RCX: 00007f8111d9cdd9
[  121.465753][ T5339] RDX: 0000200000000140 RSI: 0000000000000720 RDI: 000000000000000b
[  121.468398][ T5339] RBP: 00007f8111e32d69 R08: 0000000000000000 R09: 0000000000000000
[  121.471148][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  121.474288][ T5339] R13: 00007f8112016128 R14: 00007f8112016090 R15: 00007ffc00c58ad8
[  121.477377][ T5339]  </TASK>
[  121.478601][ T5339] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  121.481348][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  121.484755][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  121.488489][ T5339] Call Trace:
[  121.489857][ T5339]  <TASK>
[  121.491067][ T5339]  vpanic+0x56c/0xa60
[  121.492660][ T5339]  ? __pfx__printk+0x10/0x10
[  121.494438][ T5339]  ? __pfx_vpanic+0x10/0x10
[  121.496136][ T5339]  ? is_bpf_text_address+0x292/0x2b0
[  121.498108][ T5339]  ? is_bpf_text_address+0x26/0x2b0
[  121.500052][ T5339]  panic+0xc5/0xd0
[  121.501418][ T5339]  ? __pfx_panic+0x10/0x10
[  121.503211][ T5339]  __warn+0x315/0x4c0
[  121.504754][ T5339]  ? usb_submit_urb+0x1053/0x18b0
[  121.506701][ T5339]  ? usb_submit_urb+0x1053/0x18b0
[  121.508565][ T5339]  __report_bug+0x29a/0x540
[  121.510371][ T5339]  ? usb_submit_urb+0x1053/0x18b0
[  121.512238][ T5339]  ? __pfx___report_bug+0x10/0x10
[  121.514314][ T5339]  ? lockdep_hardirqs_on+0x7a/0x110
[  121.516259][ T5339]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  121.518573][ T5339]  report_bug_entry+0x19a/0x290
[  121.520479][ T5339]  ? usb_submit_urb+0x1115/0x18b0
[  121.522607][ T5339]  ? usb_submit_urb+0x111a/0x18b0
[  121.524569][ T5339]  handle_bug+0xce/0x200
[  121.526296][ T5339]  exc_invalid_op+0x1a/0x50
[  121.527971][ T5339]  asm_exc_invalid_op+0x1a/0x20
[  121.529861][ T5339] RIP: 0010:usb_submit_urb+0x1115/0x18b0
[  121.532040][ T5339] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9
[  121.539461][ T5339] RSP: 0018:ffffc9000f7a7688 EFLAGS: 00010246
[  121.541835][ T5339] RAX: 0000000000000000 RBX: ffff8880346a6600 RCX: 0000000080000280
[  121.544882][ T5339] RDX: ffff888041acc560 RSI: ffffffff8c80a0e0 RDI: ffffffff903e2ec0
[  121.547983][ T5339] RBP: 1ffff11008359980 R08: 00000000000000c0 R09: 0000000000000000
[  121.550942][ T5339] R10: ffffc9000f7a7780 R11: fffff52001ef4efc R12: ffff888042b66100
[  121.553923][ T5339] R13: ffff888041accc00 R14: 0000000080000280 R15: ffff888041acc560
[  121.556740][ T5339]  ? usb_submit_urb+0x10a4/0x18b0
[  121.558754][ T5339]  ? __init_swait_queue_head+0xa9/0x150
[  121.560892][ T5339]  usb_start_wait_urb+0x13f/0x5b0
[  121.562851][ T5339]  ? __pfx_usb_start_wait_urb+0x10/0x10
[  121.564974][ T5339]  usb_control_msg+0x234/0x3e0
[  121.566889][ T5339]  dtv5100_i2c_msg+0x231/0x2f0
[  121.568752][ T5339]  dtv5100_i2c_xfer+0x1a4/0x3c0
[  121.570678][ T5339]  __i2c_transfer+0x79a/0x1f70
[  121.572925][ T5339]  ? __lock_acquire+0x146e/0x2cf0
[  121.574840][ T5339]  __i2c_smbus_xfer+0xfca/0x1eb0
[  121.576761][ T5339]  ? __pfx___i2c_smbus_xfer+0x10/0x10
[  121.578712][ T5339]  ? lockdep_hardirqs_on+0x7a/0x110
[  121.580665][ T5339]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  121.582872][ T5339]  ? rt_mutex_lock_nested+0x15c/0x1e0
[  121.584559][ T5339]  i2c_smbus_xfer+0x1f4/0x310
[  121.586350][ T5339]  i2cdev_ioctl_smbus+0x434/0x730
[  121.588204][ T5339]  ? __pfx_i2cdev_ioctl_smbus+0x10/0x10
[  121.590405][ T5339]  i2cdev_ioctl+0x615/0x880
[  121.592193][ T5339]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  121.594180][ T5339]  ? __fget_files+0x2a/0x420
[  121.596043][ T5339]  ? __fget_files+0x3a0/0x420
[  121.597912][ T5339]  ? bpf_lsm_file_ioctl+0x9/0x20
[  121.599729][ T5339]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  121.601447][ T5339]  __se_sys_ioctl+0xfc/0x170
[  121.603437][ T5339]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  121.605984][ T5339]  do_syscall_64+0x15f/0xf80
[  121.607740][ T5339]  ? trace_irq_disable+0x3b/0x140
[  121.609703][ T5339]  ? clear_bhb_loop+0x40/0x90
[  121.611555][ T5339]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  121.613844][ T5339] RIP: 0033:0x7f8111d9cdd9
[  121.615607][ T5339] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  121.623052][ T5339] RSP: 002b:00007f8112cfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  121.626095][ T5339] RAX: ffffffffffffffda RBX: 00007f8112016090 RCX: 00007f8111d9cdd9
[  121.629057][ T5339] RDX: 0000200000000140 RSI: 0000000000000720 RDI: 000000000000000b
[  121.632114][ T5339] RBP: 00007f8111e32d69 R08: 0000000000000000 R09: 0000000000000000
[  121.634902][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  121.637993][ T5339] R13: 00007f8112016128 R14: 00007f8112016090 R15: 00007ffc00c58ad8
[  121.640944][ T5339]  </TASK>
[  121.642610][ T5339] Kernel Offset: disabled
[  121.644317][ T5339] Rebooting in 86400 seconds..