program: syz_usb_connect$printer(0x0, 0x36, &(0x7f00000001c0)=ANY=[@ANYBLOB="0d01000009000008250592d20700006a3b010902241700fa0074980904e4ff11070103000905010200ffe0000009058202"], 0x0) close(0x3) r0 = syz_usb_connect$uac1(0x0, 0x71, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000000000000ff6b1d010140000102032109025f0003d471e76a1e010400020904000000010100000a240100009bdf2d01020904010501090000000000002501d000e4102b36460eb8e6eedba62021a325660000090402000001020000090402010101020000090582090000000000002501"], 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={0x0}, 0x1, 0x0, 0x0, 0x4000811}, 0x0) r1 = socket$netlink(0x10, 0x3, 0x0) r2 = syz_open_procfs$namespace(0x0, &(0x7f0000000000)='ns/cgroup\x00') ioctl$NS_GET_PARENT(r2, 0x8004b708, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)=ANY=[@ANYBLOB="400000001000030400"/20, @ANYRES32=0x0, @ANYBLOB="00000000000000001800128008000100707070"], 0x40}}, 0x0) sendmmsg(r1, &(0x7f00000002c0), 0x40000000000009f, 0x0) syz_usb_control_io$uac1(r0, 0x0, 0x0) r3 = syz_usb_connect(0x4, 0x158, &(0x7f0000000440)={{0x12, 0x1, 0x300, 0x83, 0x64, 0xf, 0x30, 0x12d1, 0x191a, 0xbee4, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x146, 0x1, 0x5, 0x9, 0xf0, 0x9, "", [{{0x9, 0x4, 0x53, 0x7, 0x1, 0xff, 0x1, 0x6, 0x3, [@cdc_ncm={{0xb, 0x24, 0x6, 0x0, 0x1, "ead7f6326be5"}, {0x5, 0x24, 0x0, 0xffff}, {0xd, 0x24, 0xf, 0x1, 0x5, 0x7ff, 0x3, 0x5}, {0x6, 0x24, 0x1a, 0x0, 0x2}, [@mbim_extended={0x8, 0x24, 0x1c, 0x1, 0x0, 0xbad}, @acm={0x4, 0x24, 0x2, 0xc}, @mbim={0xc, 0x24, 0x1b, 0xcb, 0x2, 0x5, 0xff, 0x0, 0x4}]}], [{{0x9, 0x5, 0x80, 0x4, 0x0, 0x2, 0x7, 0x2, [@generic={0xf0, 0x1, "9d1244d7dcd95a1d8876851b9d528d8798520aace61a29fb62f8f126188c87929959fe828706dcb34d07f32048b08eb2c6288fd7362c386ef522cc5ce598ba0899dc26334a71f90b0def85acad185486dc70bcf338e9e4c6b7bf2978b593c49e129825bd9f209548682dadee5e82192a11c5e6f604d10167a4731da95509933cf5831141f6eb5af78a0be24e8529b7c34c688023f3d0eecdf70368e14fc1c48d4e2f920eb5436a51d43b0be57618126e44ccb8653f2a668d73a95bde544a17307acf068529f60e3c2404995947f464c0b47f1cf750fcb9b6dd3a6b10ac1f5ecdd6325c73dddc96a994d4400fdc10"}]}}]}}]}}]}}, &(0x7f0000000780)={0xa, &(0x7f00000005c0)={0xa, 0x6, 0x110, 0x2, 0x4, 0x10, 0x40, 0x80}, 0x2a, &(0x7f0000000600)={0x5, 0xf, 0x2a, 0x4, [@ptm_cap={0x3}, @wireless={0xb, 0x10, 0x1, 0x2, 0x1, 0x0, 0x4c, 0x101, 0xca}, @ss_container_id={0x14, 0x10, 0x4, 0x48, "32f3ef4191bfe5c027aeb6b0d5811a1a"}, @ptm_cap={0x3}]}, 0x2, [{0xd3, &(0x7f0000000640)=@string={0xd3, 0x3, "a6e95d8e9085ed63f0c8c48e475ef05d7398b5de13ed70f52b8da81a5d4df40526a12e9d115a4d2bcedf5489e74083d0ec31b5ad983bfac532d89957f74174a9dc099a385344044109cfc9b7f52a09339a61987ebf922413ef7d8c62b7ef760f8e8b82e17e62920252e63812977be08e9332d486b5fcc7aa3c00713abdca6f2d44c909a665d2d63292b329b68b1581c293cf3757a7e7aba8616be66b6550660211697dd38e0c67c7b397170b637843dcc5dd04d3865114b7d25e8ba7fb9ecbab11c515b5059c32acc894d4635b22b6a311"}}, {0x4, &(0x7f0000000740)=@lang_id={0x4, 0x3, 0x41b}}]}) r4 = openat$pmem0(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0) ioctl$BLKREPORTZONE(r4, 0xc0101282, &(0x7f0000000040)={0x400}) syz_usb_control_io$lan78xx(r3, &(0x7f0000000840)={0x14, &(0x7f00000007c0)={0x20, 0x0, 0x2c, {0x2c, 0x77, "bd45a73c3edbe6930711047208fcce828f018cac6c14ce0754c21a58f7f4d75a4ca1078c443ceb1528d7"}}, &(0x7f0000000800)={0x0, 0x3, 0x4, @lang_id={0x4, 0x3, 0x457}}}, &(0x7f0000000ac0)={0x34, &(0x7f0000000880)={0x20, 0xd, 0xd8, "9484cdaa54e7256f52bc50d782dc03040b8df7dd63502dd1c970b5321721f97d4a92620531f9558a21efbe30b4c13441b8ad7eade932ac4ff55d1cd22b4ad18e9e21ab1f1d23feec0e9c0c8f2879f857b739793ceefd37e93c67c3ab7fd9eb33eccb3247d5517cc9f2c169b23a5755858318838219eaa3e390fbe4f5173eb717ae50bd3a8c71e787829042d2d91f2cf3c17d98d7229ebb19271b0301201b3dfb5599e31fa2640459b97975ba1c4ea318908e1a395c22b3bec80ee13b1baa6427926f8c535564af4bf10d15d48c02ae241ece2cfbdc840254"}, &(0x7f0000000980)={0x0, 0xa, 0x1, 0xfd}, &(0x7f00000009c0)={0x0, 0x8, 0x1, 0x21}, &(0x7f0000000a00)={0xc0, 0xa1, 0x4, 0x3}, &(0x7f0000000a40)={0x40, 0xa0, 0x4, 0x5}, &(0x7f0000000a80)={0xc0, 0xa2, 0x2f, "7c16c50ab501a6824c5f375742c937d745430faea6df7307a76af4fb63683910c57ad334e380c435f7face889c4810"}}) syz_open_dev$char_usb(0xc, 0xb4, 0x0) setsockopt$inet6_tcp_TCP_MD5SIG(0xffffffffffffffff, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x4e01, 0x5, @loopback, 0xa}}, 0x0, 0x0, 0x3d, 0x0, "bb02a3c364ca41d6357e544524474004000b42a21d7214bf92494925208a0e2f964e0000c534a6324d6193fcf19b2df3ee818afaa4ff1f56c54dc46d8b6d2ccd008aa0cc1dc2767bbe00"}, 0xd8) r5 = socket$kcm(0x23, 0x5, 0x0) r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0) ioctl$TUNSETIFF(r6, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) setsockopt$sock_int(r5, 0x1, 0x6, &(0x7f0000000240)=0x9, 0x4) listen(r5, 0x800) r7 = socket$kcm(0x10, 0x2, 0x0) sendmsg$inet(r7, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4) r8 = socket$phonet_pipe(0x23, 0x5, 0x2) connect$phonet_pipe(r8, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10) accept4(r5, 0x0, 0x0, 0x80000) r9 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r9, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r6, &(0x7f0000000380)=ANY=[@ANYBLOB="1c0000f500000000000000862dfdff000000"], 0x78) openat$nvme_fabrics(0xffffffffffffff9c, &(0x7f0000000080), 0x733300, 0x0) [ 87.483158][ T45] Bluetooth: hci0: command tx timeout [ 87.844242][ T10] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 87.994151][ T10] usb 5-1: Using ep0 maxpacket: 8 [ 88.000833][ T10] usb 5-1: config index 0 descriptor too short (expected 5924, got 36) [ 88.004776][ T10] usb 5-1: config 250 has an invalid interface number: 228 but max is -1 [ 88.008318][ T10] usb 5-1: config 250 has 1 interface, different from the descriptor's value: 0 [ 88.012112][ T10] usb 5-1: config 250 has no interface number 0 [ 88.015418][ T10] usb 5-1: config 250 interface 228 altsetting 255 endpoint 0x1 has invalid maxpacket 65280, setting to 1024 [ 88.021169][ T10] usb 5-1: config 250 interface 228 altsetting 255 bulk endpoint 0x1 has invalid maxpacket 1024 [ 88.026714][ T10] usb 5-1: config 250 interface 228 altsetting 255 endpoint 0x82 has invalid wMaxPacketSize 0 [ 88.031832][ T10] usb 5-1: config 250 interface 228 altsetting 255 bulk endpoint 0x82 has invalid maxpacket 0 [ 88.037950][ T10] usb 5-1: config 250 interface 228 altsetting 255 has 2 endpoint descriptors, different from the interface descriptor's value: 17 [ 88.044513][ T10] usb 5-1: config 250 interface 228 has no altsetting 0 [ 88.049294][ T10] usb 5-1: New USB device found, idVendor=0525, idProduct=d292, bcdDevice= 0.07 [ 88.053170][ T10] usb 5-1: New USB device strings: Mfr=0, Product=106, SerialNumber=59 [ 88.061905][ T10] usb 5-1: Product: syz [ 88.066111][ T10] usb 5-1: SerialNumber: syz [ 88.095893][ T10] hub 5-1:250.228: bad descriptor, ignoring hub [ 88.099570][ T10] hub 5-1:250.228: probe with driver hub failed with error -5 [ 88.320982][ T10] usblp 5-1:250.228: usblp0: USB Bidirectional printer dev 2 if 228 alt 255 proto 3 vid 0x0525 pid 0xD292 [ 88.507492][ T10] usb 5-1: reset high-speed USB device number 2 using dummy_hcd [ 88.861788][ T5326] netlink: 8 bytes leftover after parsing attributes in process `syz.0.0'. [ 88.866087][ T5326] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'. [ 88.870039][ T5326] Zero length message leads to an empty skb [ 89.133407][ T5327] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 89.192184][ T5326] syz.0.0 uses obsolete (PF_INET,SOCK_PACKET) [ 89.199934][ C0] [ 89.201070][ C0] ================================ [ 89.203348][ C0] WARNING: inconsistent lock state [ 89.205652][ C0] syzkaller #0 Not tainted [ 89.207558][ C0] -------------------------------- [ 89.210063][ C0] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 89.212920][ C0] syz.0.0/5325 [HC0[0]:SC1[1]:HE1:SE0] takes: [ 89.215496][ C0] ffff88803f0d3c68 (slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1bf/0x9e0 [ 89.219538][ C0] {SOFTIRQ-ON-W} state was registered at: [ 89.222058][ C0] lock_acquire+0x106/0x350 [ 89.224134][ C0] _raw_spin_lock_nested+0x32/0x50 [ 89.226480][ C0] __sk_receive_skb+0x1bf/0x9e0 [ 89.228664][ C0] pep_do_rcv+0x685/0xaa0 [ 89.230313][ C0] __release_sock+0x297/0x3a0 [ 89.232236][ C0] release_sock+0x190/0x260 [ 89.234014][ C0] pep_sock_accept+0xdf5/0x12b0 [ 89.235902][ C0] pn_socket_accept+0xc9/0x2e0 [ 89.237977][ C0] do_accept+0x521/0x760 [ 89.239912][ C0] __sys_accept4+0x139/0x230 [ 89.242118][ C0] __x64_sys_accept4+0x9a/0xb0 [ 89.244531][ C0] do_syscall_64+0x15f/0xf80 [ 89.246793][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.249608][ C0] irq event stamp: 2382 [ 89.251493][ C0] hardirqs last enabled at (2382): [] _raw_spin_unlock_irq+0x23/0x50 [ 89.255757][ C0] hardirqs last disabled at (2381): [] _raw_spin_lock_irq+0x17/0x50 [ 89.260052][ C0] softirqs last enabled at (2376): [] netif_rx+0x79/0x90 [ 89.263684][ C0] softirqs last disabled at (2377): [] do_softirq+0x76/0xd0 [ 89.267543][ C0] [ 89.267543][ C0] other info that might help us debug this: [ 89.271156][ C0] Possible unsafe locking scenario: [ 89.271156][ C0] [ 89.274215][ C0] CPU0 [ 89.275685][ C0] ---- [ 89.277198][ C0] lock(slock-AF_PHONET/1); [ 89.279153][ C0] [ 89.280595][ C0] lock(slock-AF_PHONET/1); [ 89.282607][ C0] [ 89.282607][ C0] *** DEADLOCK *** [ 89.282607][ C0] [ 89.285949][ C0] 5 locks held by syz.0.0/5325: [ 89.287840][ C0] #0: ffff88804597ce40 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: sock_close+0x9b/0x240 [ 89.292058][ C0] #1: ffff88803f0d4360 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: pep_sock_close+0x86/0x5b0 [ 89.295833][ C0] #2: ffffffff8e95cca0 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x3eb/0x1950 [ 89.299703][ C0] #3: ffff88803f0d4968 (slock-AF_PHONET){+.-.}-{3:3}, at: __sk_receive_skb+0x1f1/0x9e0 [ 89.303851][ C0] #4: ffff88803f0d49e0 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: phonet_rcv+0x781/0xc40 [ 89.307953][ C0] [ 89.307953][ C0] stack backtrace: [ 89.310572][ C0] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 89.310587][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 89.310594][ C0] Call Trace: [ 89.310601][ C0] [ 89.310606][ C0] dump_stack_lvl+0xe8/0x150 [ 89.310624][ C0] print_usage_bug+0x28b/0x2e0 [ 89.310638][ C0] mark_lock_irq+0x410/0x420 [ 89.310652][ C0] mark_lock+0x115/0x190 [ 89.310663][ C0] __lock_acquire+0x689/0x2cf0 [ 89.310676][ C0] ? sk_filter_trim_cap+0x1a7/0xe70 [ 89.310692][ C0] ? sk_filter_trim_cap+0x91e/0xe70 [ 89.310706][ C0] ? is_bpf_text_address+0x26/0x2b0 [ 89.310716][ C0] ? lock_acquire+0x106/0x350 [ 89.310727][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 89.310737][ C0] lock_acquire+0x106/0x350 [ 89.310747][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 89.310759][ C0] _raw_spin_lock_nested+0x32/0x50 [ 89.310775][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 89.310785][ C0] __sk_receive_skb+0x1bf/0x9e0 [ 89.310796][ C0] pep_do_rcv+0x685/0xaa0 [ 89.310811][ C0] ? __pfx_pep_do_rcv+0x10/0x10 [ 89.310826][ C0] ? __pfx_pep_do_rcv+0x10/0x10 [ 89.310838][ C0] ? phonet_rcv+0x781/0xc40 [ 89.310849][ C0] __sk_receive_skb+0x962/0x9e0 [ 89.310861][ C0] phonet_rcv+0x781/0xc40 [ 89.310874][ C0] ? __pfx_phonet_rcv+0x10/0x10 [ 89.310885][ C0] ? process_backlog+0x3eb/0x1950 [ 89.310895][ C0] ? process_backlog+0x3eb/0x1950 [ 89.310905][ C0] ? __pfx_phonet_rcv+0x10/0x10 [ 89.310917][ C0] ? process_backlog+0x3eb/0x1950 [ 89.310928][ C0] process_backlog+0xc66/0x1950 [ 89.310943][ C0] __napi_poll+0xae/0x340 [ 89.310952][ C0] ? skb_defer_free_flush+0x233/0x260 [ 89.310961][ C0] net_rx_action+0x627/0xf70 [ 89.310969][ C0] ? lock_acquire+0x106/0x350 [ 89.310976][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 89.310987][ C0] handle_softirqs+0x22a/0x840 [ 89.310995][ C0] ? do_softirq+0x76/0xd0 [ 89.311001][ C0] ? netif_rx+0x79/0x90 [ 89.311009][ C0] do_softirq+0x76/0xd0 [ 89.311015][ C0] [ 89.311017][ C0] [ 89.311020][ C0] __local_bh_enable_ip+0xf8/0x130 [ 89.311026][ C0] netif_rx+0x83/0x90 [ 89.311034][ C0] pn_send+0x62a/0x8e0 [ 89.311043][ C0] pn_skb_send+0x218/0x510 [ 89.311050][ C0] pep_sock_close+0x2c1/0x5b0 [ 89.311062][ C0] pn_socket_release+0x9b/0xc0 [ 89.311072][ C0] sock_close+0xc3/0x240 [ 89.311087][ C0] ? __pfx_sock_close+0x10/0x10 [ 89.311101][ C0] __fput+0x44f/0xa60 [ 89.311114][ C0] task_work_run+0x1d9/0x270 [ 89.311130][ C0] ? __pfx_task_work_run+0x10/0x10 [ 89.311144][ C0] exit_to_user_mode_loop+0xf3/0x4d0 [ 89.311155][ C0] ? rcu_is_watching+0x15/0xb0 [ 89.311167][ C0] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.311178][ C0] do_syscall_64+0x33e/0xf80 [ 89.311193][ C0] ? clear_bhb_loop+0x40/0x90 [ 89.311204][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.311215][ C0] RIP: 0033:0x7f4aae79ce59 [ 89.311226][ C0] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 89.311234][ C0] RSP: 002b:00007ffcf7d7fb68 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 89.311246][ C0] RAX: 0000000000000000 RBX: 00007ffcf7d7fc50 RCX: 00007f4aae79ce59 [ 89.311253][ C0] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 89.311259][ C0] RBP: 000000000001555e R08: 0000000000000001 R09: 0000000000000000 [ 89.311265][ C0] R10: 00007f4aae5ff030 R11: 0000000000000246 R12: 00007ffcf7d7fc90 [ 89.311272][ C0] R13: 00007f4aaea15fac R14: 0000000000015c05 R15: 00007f4aaea15fa0 [ 89.311282][ C0] [ 89.494400][ T45] Bluetooth: hci0: command tx timeout [ 89.594276][ T5313] usb 5-1: USB disconnect, device number 2 [ 89.598740][ T5313] usblp0: removed