program:
r0 = syz_usb_connect(0x5, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="120100024286bd10b00d815522f90102030109021200019ddb10010904"], 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000340)={0x24, 0x0, &(0x7f0000000180)={0x0, 0x3, 0x2, @string={0x2}}, 0x0, 0x0}, 0x0)
r1 = syz_open_dev$I2C(&(0x7f00000000c0), 0xc, 0x88000)
pread64(r1, 0x0, 0x0, 0x3)
[ 84.696801][ T5289] Bluetooth: hci0: command tx timeout
[ 84.971249][ T5312] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 85.121290][ T5312] usb 5-1: Using ep0 maxpacket: 16
[ 85.129678][ T5312] usb 5-1: New USB device found, idVendor=0db0, idProduct=5581, bcdDevice=f9.22
[ 85.133968][ T5312] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 85.137714][ T5312] usb 5-1: Product: syz
[ 85.140514][ T5312] usb 5-1: Manufacturer: syz
[ 85.143787][ T5312] usb 5-1: SerialNumber: syz
[ 85.385893][ T5312] usb 5-1: dvb_usb_v2: found a 'MSI Mega Sky 55801 DVB-T USB2.0' in warm state
[ 85.406270][ T5312] usb 5-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer
[ 85.412712][ T5312] dvbdev: DVB: registering new adapter (MSI Mega Sky 55801 DVB-T USB2.0)
[ 85.418215][ T5312] usb 5-1: media controller created
[ 85.432439][ T5312] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
[ 85.677262][ T5328] ------------[ cut here ]------------
[ 85.679885][ T5328] usb 5-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
[ 85.683242][ T5328] WARNING: drivers/usb/core/urb.c:413 at usb_submit_urb+0x1053/0x18b0, CPU#0: syz.0.0/5328
[ 85.687298][ T5328] Modules linked in:
[ 85.689526][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 85.693585][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 85.697940][ T5328] RIP: 0010:usb_submit_urb+0x1115/0x18b0
[ 85.700356][ T5328] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9
[ 85.708798][ T5328] RSP: 0018:ffffc90006e37708 EFLAGS: 00010246
[ 85.711501][ T5328] RAX: 0000000000000000 RBX: ffff888036a76a00 RCX: 0000000080000280
[ 85.714850][ T5328] RDX: ffff888033c2f740 RSI: ffffffff8c80a2e0 RDI: ffffffff903e3b80
[ 85.718315][ T5328] RBP: 1ffff11007afb7f8 R08: 00000000000000c0 R09: 0000000000000000
[ 85.721926][ T5328] R10: ffffc90006e37800 R11: fffff52000dc6f0c R12: ffff8880127a9100
[ 85.725391][ T5328] R13: ffff88803d7dbfc0 R14: 0000000080000280 R15: ffff888033c2f740
[ 85.728816][ T5328] FS: 00007fbe810b36c0(0000) GS:ffff88808c882000(0000) knlGS:0000000000000000
[ 85.732793][ T5328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 85.735676][ T5328] CR2: 00007ffc52f21ff8 CR3: 00000000133ac000 CR4: 0000000000352ef0
[ 85.739085][ T5328] Call Trace:
[ 85.740527][ T5328]
[ 85.742954][ T5328] ? __init_swait_queue_head+0xa9/0x150
[ 85.745617][ T5328] usb_start_wait_urb+0x13f/0x5b0
[ 85.747774][ T5328] ? __pfx_usb_start_wait_urb+0x10/0x10
[ 85.750604][ T5328] usb_control_msg+0x234/0x3e0
[ 85.753327][ T5328] gl861_ctrl_msg+0x207/0x420
[ 85.755468][ T5328] ? lockdep_hardirqs_on+0x7a/0x110
[ 85.757852][ T5328] ? __pfx_gl861_ctrl_msg+0x10/0x10
[ 85.760153][ T5328] ? rt_mutex_slowlock+0x1fd/0x780
[ 85.762626][ T5328] ? __pfx_rt_mutex_slowlock+0x10/0x10
[ 85.765007][ T5328] ? aa_file_perm+0x50e/0x15e0
[ 85.767086][ T5328] gl861_i2c_master_xfer+0x439/0x6a0
[ 85.769321][ T5328] __i2c_transfer+0x79a/0x1f70
[ 85.771615][ T5328] ? i2c_transfer+0xc8/0x2d0
[ 85.773652][ T5328] i2c_transfer+0x1cc/0x2d0
[ 85.775715][ T5328] i2c_transfer_buffer_flags+0x10d/0x1a0
[ 85.778132][ T5328] ? __lock_acquire+0x6b5/0x2cf0
[ 85.780361][ T5328] ? __pfx_i2c_transfer_buffer_flags+0x10/0x10
[ 85.783322][ T5328] ? i2cdev_read+0xe8/0x250
[ 85.785447][ T5328] i2cdev_read+0x10d/0x250
[ 85.787368][ T5328] ? __pfx_i2cdev_read+0x10/0x10
[ 85.789675][ T5328] vfs_read+0x20c/0xa70
[ 85.791652][ T5328] ? __pfx_vfs_read+0x10/0x10
[ 85.793744][ T5328] ? __fget_files+0x2a/0x420
[ 85.795822][ T5328] ? __fget_files+0x2a/0x420
[ 85.797907][ T5328] ? __fget_files+0x3a0/0x420
[ 85.800007][ T5328] ? __fget_files+0x2a/0x420
[ 85.802165][ T5328] __x64_sys_pread64+0x199/0x230
[ 85.804338][ T5328] ? __pfx___x64_sys_pread64+0x10/0x10
[ 85.806708][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 85.809314][ T5328] do_syscall_64+0x15f/0xf80
[ 85.811449][ T5328] ? clear_bhb_loop+0x40/0x90
[ 85.813423][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 85.816071][ T5328] RIP: 0033:0x7fbe8019cdd9
[ 85.818034][ T5328] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[ 85.826499][ T5328] RSP: 002b:00007fbe810b2fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
[ 85.830135][ T5328] RAX: ffffffffffffffda RBX: 00007fbe80415fa0 RCX: 00007fbe8019cdd9
[ 85.834356][ T5328] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 85.837781][ T5328] RBP: 00007fbe80232d69 R08: 0000000000000000 R09: 0000000000000000
[ 85.841446][ T5328] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
[ 85.845219][ T5328] R13: 00007fbe80416038 R14: 00007fbe80415fa0 R15: 00007ffe16712c48
[ 85.848688][ T5328]
[ 85.852000][ T5328] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 85.855332][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 85.859208][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 85.863572][ T5328] Call Trace:
[ 85.865113][ T5328]
[ 85.866434][ T5328] vpanic+0x56c/0xa60
[ 85.868272][ T5328] ? __pfx__printk+0x10/0x10
[ 85.870317][ T5328] ? __pfx_vpanic+0x10/0x10
[ 85.872436][ T5328] ? is_bpf_text_address+0x292/0x2b0
[ 85.874839][ T5328] ? is_bpf_text_address+0x26/0x2b0
[ 85.877168][ T5328] panic+0xc5/0xd0
[ 85.878862][ T5328] ? __pfx_panic+0x10/0x10
[ 85.880889][ T5328] __warn+0x315/0x4c0
[ 85.882629][ T5328] ? usb_submit_urb+0x1053/0x18b0
[ 85.884797][ T5328] ? usb_submit_urb+0x1053/0x18b0
[ 85.886939][ T5328] __report_bug+0x29a/0x540
[ 85.888928][ T5328] ? usb_submit_urb+0x1053/0x18b0
[ 85.891115][ T5328] ? __pfx___report_bug+0x10/0x10
[ 85.893198][ T5328] ? lockdep_hardirqs_on+0x7a/0x110
[ 85.895391][ T5328] ? _raw_spin_unlock_irqrestore+0x4c/0x80
[ 85.897891][ T5328] report_bug_entry+0x19a/0x290
[ 85.899936][ T5328] ? usb_submit_urb+0x1115/0x18b0
[ 85.902154][ T5328] ? usb_submit_urb+0x111a/0x18b0
[ 85.904363][ T5328] handle_bug+0xce/0x200
[ 85.906224][ T5328] exc_invalid_op+0x1a/0x50
[ 85.908155][ T5328] asm_exc_invalid_op+0x1a/0x20
[ 85.910325][ T5328] RIP: 0010:usb_submit_urb+0x1115/0x18b0
[ 85.913160][ T5328] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9
[ 85.921334][ T5328] RSP: 0018:ffffc90006e37708 EFLAGS: 00010246
[ 85.923923][ T5328] RAX: 0000000000000000 RBX: ffff888036a76a00 RCX: 0000000080000280
[ 85.927395][ T5328] RDX: ffff888033c2f740 RSI: ffffffff8c80a2e0 RDI: ffffffff903e3b80
[ 85.930777][ T5328] RBP: 1ffff11007afb7f8 R08: 00000000000000c0 R09: 0000000000000000
[ 85.934307][ T5328] R10: ffffc90006e37800 R11: fffff52000dc6f0c R12: ffff8880127a9100
[ 85.937579][ T5328] R13: ffff88803d7dbfc0 R14: 0000000080000280 R15: ffff888033c2f740
[ 85.940957][ T5328] ? usb_submit_urb+0x10a4/0x18b0
[ 85.943152][ T5328] ? __init_swait_queue_head+0xa9/0x150
[ 85.945619][ T5328] usb_start_wait_urb+0x13f/0x5b0
[ 85.947763][ T5328] ? __pfx_usb_start_wait_urb+0x10/0x10
[ 85.950170][ T5328] usb_control_msg+0x234/0x3e0
[ 85.952369][ T5328] gl861_ctrl_msg+0x207/0x420
[ 85.954324][ T5328] ? lockdep_hardirqs_on+0x7a/0x110
[ 85.956554][ T5328] ? __pfx_gl861_ctrl_msg+0x10/0x10
[ 85.958854][ T5328] ? rt_mutex_slowlock+0x1fd/0x780
[ 85.961084][ T5328] ? __pfx_rt_mutex_slowlock+0x10/0x10
[ 85.963433][ T5328] ? aa_file_perm+0x50e/0x15e0
[ 85.965579][ T5328] gl861_i2c_master_xfer+0x439/0x6a0
[ 85.967887][ T5328] __i2c_transfer+0x79a/0x1f70
[ 85.969966][ T5328] ? i2c_transfer+0xc8/0x2d0
[ 85.972056][ T5328] i2c_transfer+0x1cc/0x2d0
[ 85.974000][ T5328] i2c_transfer_buffer_flags+0x10d/0x1a0
[ 85.976459][ T5328] ? __lock_acquire+0x6b5/0x2cf0
[ 85.978738][ T5328] ? __pfx_i2c_transfer_buffer_flags+0x10/0x10
[ 85.981527][ T5328] ? i2cdev_read+0xe8/0x250
[ 85.983537][ T5328] i2cdev_read+0x10d/0x250
[ 85.985451][ T5328] ? __pfx_i2cdev_read+0x10/0x10
[ 85.987534][ T5328] vfs_read+0x20c/0xa70
[ 85.989395][ T5328] ? __pfx_vfs_read+0x10/0x10
[ 85.991587][ T5328] ? __fget_files+0x2a/0x420
[ 85.993653][ T5328] ? __fget_files+0x2a/0x420
[ 85.995653][ T5328] ? __fget_files+0x3a0/0x420
[ 85.997725][ T5328] ? __fget_files+0x2a/0x420
[ 85.999734][ T5328] __x64_sys_pread64+0x199/0x230
[ 86.001871][ T5328] ? __pfx___x64_sys_pread64+0x10/0x10
[ 86.004261][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.006956][ T5328] do_syscall_64+0x15f/0xf80
[ 86.009051][ T5328] ? clear_bhb_loop+0x40/0x90
[ 86.011085][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.013459][ T5328] RIP: 0033:0x7fbe8019cdd9
[ 86.015297][ T5328] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[ 86.023076][ T5328] RSP: 002b:00007fbe810b2fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011
[ 86.026637][ T5328] RAX: ffffffffffffffda RBX: 00007fbe80415fa0 RCX: 00007fbe8019cdd9
[ 86.029947][ T5328] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 86.033350][ T5328] RBP: 00007fbe80232d69 R08: 0000000000000000 R09: 0000000000000000
[ 86.036707][ T5328] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
[ 86.040068][ T5328] R13: 00007fbe80416038 R14: 00007fbe80415fa0 R15: 00007ffe16712c48
[ 86.043526][ T5328]
[ 86.045299][ T5328] Kernel Offset: disabled
[ 86.047234][ T5328] Rebooting in 86400 seconds..