program:
r0 = syz_usb_connect(0x5, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="120100024286bd10b00d815522f90102030109021200019ddb10010904"], 0x0)
syz_usb_control_io$hid(r0, &(0x7f0000000340)={0x24, 0x0, &(0x7f0000000180)={0x0, 0x3, 0x2, @string={0x2}}, 0x0, 0x0}, 0x0)
r1 = fsopen(&(0x7f0000000140)='cgroup2\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r1, 0x6, 0x0, 0x0, 0x0)
r2 = fsmount(r1, 0x0, 0x0)
perf_event_open(&(0x7f00000005c0)={0x2, 0x80, 0xf9, 0x1, 0x0, 0x0, 0x0, 0x800000000, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff, 0x0, @perf_bp={0x0}, 0x800, 0x2}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x9)
setresuid(0x0, 0xee01, 0x0)
syz_clone3(&(0x7f0000000340)={0x201800000, 0x0, 0x0, 0x0, {0x2d}, 0x0, 0x0, 0x0, 0x0, 0x0, {r2}}, 0x58)
r3 = syz_open_dev$I2C(&(0x7f00000000c0), 0xc, 0x88000)
pipe2$9p(&(0x7f0000000040)={0xffffffffffffffff, <r4=>0xffffffffffffffff}, 0x4000)
write$P9_RFLUSH(r4, &(0x7f0000000080)={0x7, 0x6d, 0x1}, 0x7)
ioctl$I2C_SMBUS(r3, 0x720, &(0x7f0000001800)={0x1, 0x88, 0x0, &(0x7f00000017c0)={0x10, "4ec0191e5bb43600000000000000000711762717c44bf8c9b1cc22a10d00115d6d"}})

[  104.368804][ T4655] Bluetooth: hci0: command tx timeout
[  104.699640][ T5325] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[  104.849854][ T5325] usb 5-1: Using ep0 maxpacket: 16
[  104.857457][ T5325] usb 5-1: New USB device found, idVendor=0db0, idProduct=5581, bcdDevice=f9.22
[  104.861748][ T5325] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  104.865425][ T5325] usb 5-1: Product: syz
[  104.867344][ T5325] usb 5-1: Manufacturer: syz
[  104.869780][ T5325] usb 5-1: SerialNumber: syz
[  105.089823][ T5325] usb 5-1: dvb_usb_v2: found a 'MSI Mega Sky 55801 DVB-T USB2.0' in warm state
[  105.104050][ T5325] usb 5-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer
[  105.108521][ T5325] dvbdev: DVB: registering new adapter (MSI Mega Sky 55801 DVB-T USB2.0)
[  105.113540][ T5325] usb 5-1: media controller created
[  105.125918][ T5325] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
[  105.351749][ T5325] zl10353_read_register: readreg error (reg=127, ret==-110)
[  105.377058][ T5331] ------------[ cut here ]------------
[  105.379893][ T5331] usb 5-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
[  105.384157][ T5331] WARNING: drivers/usb/core/urb.c:413 at usb_submit_urb+0x1053/0x18b0, CPU#0: syz.0.0/5331
[  105.388783][ T5331] Modules linked in:
[  105.391544][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  105.395538][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  105.399871][ T5331] RIP: 0010:usb_submit_urb+0x1115/0x18b0
[  105.402243][ T5331] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9
[  105.410852][ T5331] RSP: 0018:ffffc9000637f608 EFLAGS: 00010246
[  105.414090][ T5331] RAX: 0000000000000000 RBX: ffff8880435ea000 RCX: 0000000080000280
[  105.417903][ T5331] RDX: ffff88803c4fffc0 RSI: ffffffff8c80a0e0 RDI: ffffffff903e2ec0
[  105.421531][ T5331] RBP: 1ffff11006fa0958 R08: 00000000000000c0 R09: 0000000000000000
[  105.425046][ T5331] R10: ffffc9000637f700 R11: fffff52000c6feec R12: ffff888011dd3100
[  105.428848][ T5331] R13: ffff888037d04ac0 R14: 0000000080000280 R15: ffff88803c4fffc0
[  105.432355][ T5331] FS:  00007f18802c36c0(0000) GS:ffff88808c885000(0000) knlGS:0000000000000000
[  105.436142][ T5331] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  105.439147][ T5331] CR2: 0000200000001800 CR3: 0000000012dbb000 CR4: 0000000000352ef0
[  105.442721][ T5331] Call Trace:
[  105.444221][ T5331]  <TASK>
[  105.445580][ T5331]  ? __init_swait_queue_head+0xa9/0x150
[  105.448011][ T5331]  usb_start_wait_urb+0x13f/0x5b0
[  105.450370][ T5331]  ? __pfx_usb_start_wait_urb+0x10/0x10
[  105.453036][ T5331]  usb_control_msg+0x234/0x3e0
[  105.455117][ T5331]  gl861_ctrl_msg+0x207/0x420
[  105.457260][ T5331]  ? __pfx_gl861_ctrl_msg+0x10/0x10
[  105.459791][ T5331]  ? irq_poll_complete+0x80/0x190
[  105.461958][ T5331]  ? kasan_save_track+0x4f/0x80
[  105.464020][ T5331]  ? kasan_save_track+0x3e/0x80
[  105.466077][ T5331]  gl861_i2c_master_xfer+0x439/0x6a0
[  105.468344][ T5331]  __i2c_transfer+0x79a/0x1f70
[  105.471366][ T5331]  ? __lock_acquire+0x146e/0x2cf0
[  105.473575][ T5331]  __i2c_smbus_xfer+0xfca/0x1eb0
[  105.475725][ T5331]  ? __pfx___i2c_smbus_xfer+0x10/0x10
[  105.478126][ T5331]  ? lockdep_hardirqs_on+0x7a/0x110
[  105.480644][ T5331]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.483218][ T5331]  ? rt_mutex_lock_nested+0x15c/0x1e0
[  105.485475][ T5331]  i2c_smbus_xfer+0x1f4/0x310
[  105.487458][ T5331]  i2cdev_ioctl_smbus+0x1e7/0x730
[  105.489936][ T5331]  ? __pfx_i2cdev_ioctl_smbus+0x10/0x10
[  105.492408][ T5331]  i2cdev_ioctl+0x615/0x880
[  105.494367][ T5331]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  105.496537][ T5331]  ? __fget_files+0x2a/0x420
[  105.498440][ T5331]  ? __fget_files+0x3a0/0x420
[  105.500427][ T5331]  ? bpf_lsm_file_ioctl+0x9/0x20
[  105.502352][ T5331]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  105.504456][ T5331]  __se_sys_ioctl+0xfc/0x170
[  105.506586][ T5331]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.509065][ T5331]  do_syscall_64+0x15f/0xf80
[  105.511417][ T5331]  ? trace_irq_disable+0x3b/0x140
[  105.513673][ T5331]  ? clear_bhb_loop+0x40/0x90
[  105.515727][ T5331]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.518569][ T5331] RIP: 0033:0x7f187f39cdd9
[  105.520653][ T5331] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  105.530761][ T5331] RSP: 002b:00007f18802c2fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  105.534761][ T5331] RAX: ffffffffffffffda RBX: 00007f187f616090 RCX: 00007f187f39cdd9
[  105.538231][ T5331] RDX: 0000200000001800 RSI: 0000000000000720 RDI: 0000000000000007
[  105.541738][ T5331] RBP: 00007f187f432d69 R08: 0000000000000000 R09: 0000000000000000
[  105.545200][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  105.548783][ T5331] R13: 00007f187f616128 R14: 00007f187f616090 R15: 00007ffffd607b58
[  105.552427][ T5331]  </TASK>
[  105.553714][ T5331] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  105.556631][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  105.560352][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  105.564043][ T5331] Call Trace:
[  105.565401][ T5331]  <TASK>
[  105.566550][ T5331]  vpanic+0x56c/0xa60
[  105.568166][ T5331]  ? __pfx__printk+0x10/0x10
[  105.570211][ T5331]  ? __pfx_vpanic+0x10/0x10
[  105.572186][ T5331]  ? is_bpf_text_address+0x292/0x2b0
[  105.574290][ T5331]  ? is_bpf_text_address+0x26/0x2b0
[  105.576213][ T5331]  panic+0xc5/0xd0
[  105.577620][ T5331]  ? __pfx_panic+0x10/0x10
[  105.579519][ T5331]  __warn+0x315/0x4c0
[  105.581143][ T5331]  ? usb_submit_urb+0x1053/0x18b0
[  105.583422][ T5331]  ? usb_submit_urb+0x1053/0x18b0
[  105.585712][ T5331]  __report_bug+0x29a/0x540
[  105.587502][ T5331]  ? usb_submit_urb+0x1053/0x18b0
[  105.589563][ T5331]  ? __pfx___report_bug+0x10/0x10
[  105.591658][ T5331]  ? lockdep_hardirqs_on+0x7a/0x110
[  105.593793][ T5331]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.595785][ T5331]  report_bug_entry+0x19a/0x290
[  105.597739][ T5331]  ? usb_submit_urb+0x1115/0x18b0
[  105.599875][ T5331]  ? usb_submit_urb+0x111a/0x18b0
[  105.601837][ T5331]  handle_bug+0xce/0x200
[  105.603535][ T5331]  exc_invalid_op+0x1a/0x50
[  105.605715][ T5331]  asm_exc_invalid_op+0x1a/0x20
[  105.608214][ T5331] RIP: 0010:usb_submit_urb+0x1115/0x18b0
[  105.610941][ T5331] Code: 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 91 05 00 00 45 0f b6 45 00 48 8b 7c 24 18 48 8b 74 24 10 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 c1 f2 ff ff 89 e9
[  105.618735][ T5331] RSP: 0018:ffffc9000637f608 EFLAGS: 00010246
[  105.621259][ T5331] RAX: 0000000000000000 RBX: ffff8880435ea000 RCX: 0000000080000280
[  105.624410][ T5331] RDX: ffff88803c4fffc0 RSI: ffffffff8c80a0e0 RDI: ffffffff903e2ec0
[  105.627745][ T5331] RBP: 1ffff11006fa0958 R08: 00000000000000c0 R09: 0000000000000000
[  105.630886][ T5331] R10: ffffc9000637f700 R11: fffff52000c6feec R12: ffff888011dd3100
[  105.634185][ T5331] R13: ffff888037d04ac0 R14: 0000000080000280 R15: ffff88803c4fffc0
[  105.637617][ T5331]  ? usb_submit_urb+0x10a4/0x18b0
[  105.639799][ T5331]  ? __init_swait_queue_head+0xa9/0x150
[  105.642114][ T5331]  usb_start_wait_urb+0x13f/0x5b0
[  105.644378][ T5331]  ? __pfx_usb_start_wait_urb+0x10/0x10
[  105.646863][ T5331]  usb_control_msg+0x234/0x3e0
[  105.648985][ T5331]  gl861_ctrl_msg+0x207/0x420
[  105.651170][ T5331]  ? __pfx_gl861_ctrl_msg+0x10/0x10
[  105.653107][ T5331]  ? irq_poll_complete+0x80/0x190
[  105.655072][ T5331]  ? kasan_save_track+0x4f/0x80
[  105.656973][ T5331]  ? kasan_save_track+0x3e/0x80
[  105.658814][ T5331]  gl861_i2c_master_xfer+0x439/0x6a0
[  105.661003][ T5331]  __i2c_transfer+0x79a/0x1f70
[  105.663018][ T5331]  ? __lock_acquire+0x146e/0x2cf0
[  105.665401][ T5331]  __i2c_smbus_xfer+0xfca/0x1eb0
[  105.667528][ T5331]  ? __pfx___i2c_smbus_xfer+0x10/0x10
[  105.669828][ T5331]  ? lockdep_hardirqs_on+0x7a/0x110
[  105.672036][ T5331]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  105.674436][ T5331]  ? rt_mutex_lock_nested+0x15c/0x1e0
[  105.676664][ T5331]  i2c_smbus_xfer+0x1f4/0x310
[  105.678544][ T5331]  i2cdev_ioctl_smbus+0x1e7/0x730
[  105.680651][ T5331]  ? __pfx_i2cdev_ioctl_smbus+0x10/0x10
[  105.683095][ T5331]  i2cdev_ioctl+0x615/0x880
[  105.685075][ T5331]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  105.687210][ T5331]  ? __fget_files+0x2a/0x420
[  105.689272][ T5331]  ? __fget_files+0x3a0/0x420
[  105.691290][ T5331]  ? bpf_lsm_file_ioctl+0x9/0x20
[  105.693223][ T5331]  ? __pfx_i2cdev_ioctl+0x10/0x10
[  105.695171][ T5331]  __se_sys_ioctl+0xfc/0x170
[  105.697221][ T5331]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.699816][ T5331]  do_syscall_64+0x15f/0xf80
[  105.701574][ T5331]  ? trace_irq_disable+0x3b/0x140
[  105.703801][ T5331]  ? clear_bhb_loop+0x40/0x90
[  105.705982][ T5331]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  105.708627][ T5331] RIP: 0033:0x7f187f39cdd9
[  105.710553][ T5331] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  105.717484][ T5331] RSP: 002b:00007f18802c2fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  105.721079][ T5331] RAX: ffffffffffffffda RBX: 00007f187f616090 RCX: 00007f187f39cdd9
[  105.724116][ T5331] RDX: 0000200000001800 RSI: 0000000000000720 RDI: 0000000000000007
[  105.727373][ T5331] RBP: 00007f187f432d69 R08: 0000000000000000 R09: 0000000000000000
[  105.730781][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  105.734166][ T5331] R13: 00007f187f616128 R14: 00007f187f616090 R15: 00007ffffd607b58
[  105.737700][ T5331]  </TASK>
[  105.739538][ T5331] Kernel Offset: disabled
[  105.741444][ T5331] Rebooting in 86400 seconds..