cm109 1-1:0.8: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB ffff888148251d00 submitted while active
WARNING: CPU: 0 PID: 75 at drivers/usb/core/urb.c:379 usb_submit_urb+0xff0/0x1910 drivers/usb/core/urb.c:379
Modules linked in:
CPU: 0 PID: 75 Comm: kworker/u4:4 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
RIP: 0010:usb_submit_urb+0xff0/0x1910 drivers/usb/core/urb.c:379
Code: 40 0e 8b 89 ea e8 a6 69 f3 03 e9 f7 fb ff ff e8 d6 f2 6a fb c6 05 2d bd d4 07 01 48 c7 c7 40 3e 0e 8b 48 89 de e8 40 0e 37 fb <0f> 0b e9 86 f0 ff ff e8 b4 f2 6a fb eb 21 e8 ad f2 6a fb 44 8b 6c
RSP: 0018:ffffc90000007820 EFLAGS: 00010046
RAX: dc8cf348f77e8500 RBX: ffff888148251d00 RCX: ffff888019768000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: 000000000000000f R08: dffffc0000000000 R09: ffffed10171c4f34
R10: ffffed10171c4f34 R11: 1ffff110171c4f33 R12: dffffc0000000000
R13: 0000000000000a20 R14: ffff888148251d08 R15: ffff888073d62048
FS:  0000000000000000(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000001000 CR3: 000000005e5bf000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 cm109_urb_irq_callback+0x728/0xc90 drivers/input/misc/cm109.c:422
 __usb_hcd_giveback_urb+0x35f/0x520 drivers/usb/core/hcd.c:1675
 dummy_timer+0x86f/0x3130 drivers/usb/gadget/udc/dummy_hcd.c:1994
 __run_hrtimer kernel/time/hrtimer.c:1747 [inline]
 __hrtimer_run_queues+0x554/0xd60 kernel/time/hrtimer.c:1811
 hrtimer_run_softirq+0x183/0x2a0 kernel/time/hrtimer.c:1828
 handle_softirqs+0x2a1/0x920 kernel/softirq.c:596
 __do_softirq kernel/softirq.c:630 [inline]
 invoke_softirq kernel/softirq.c:470 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:679
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:preempt_count_sub+0x1/0x160 kernel/sched/core.c:5732
Code: c7 c1 e8 42 ff 8d 80 e1 07 80 c1 03 38 c1 0f 8c 6e ff ff ff 48 c7 c7 e8 42 ff 8d e8 69 4f 79 00 89 df e9 5b ff ff ff 66 90 55 <53> 48 bb 00 00 00 00 00 fc ff df 48 c7 c0 40 f1 9c 96 48 c1 e8 03
RSP: 0018:ffffc900015d7620 EFLAGS: 00000206
RAX: ffffc900015d8000 RBX: ffffc900015d7708 RCX: ffffc900015d7848
RDX: ffffc900015d7701 RSI: dffffc0000000000 RDI: 0000000000000001
RBP: ffffffff8e8183ee R08: ffffc900015d7830 R09: ffffc900015d7758
R10: fffff520002baeed R11: 1ffff920002baeeb R12: ffffc900015d0000
R13: dffffc0000000000 R14: ffffc900015d7718 R15: ffffc900015d7840
 unwind_next_frame+0x1880/0x20b0 arch/x86/kernel/unwind_orc.c:629
 arch_stack_walk+0x10c/0x140 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x98/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2d/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1729 [inline]
 slab_free_freelist_hook+0x131/0x1a0 mm/slub.c:1755
 slab_free mm/slub.c:3687 [inline]
 __kmem_cache_free+0xb6/0x1f0 mm/slub.c:3700
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x6f0/0xb80 net/core/net_namespace.c:640
 process_one_work+0x898/0x1160 kernel/workqueue.c:2292
 worker_thread+0xaa2/0x1250 kernel/workqueue.c:2439
 kthread+0x29d/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
----------------
Code disassembly (best guess):
   0:	c7 c1 e8 42 ff 8d    	mov    $0x8dff42e8,%ecx
   6:	80 e1 07             	and    $0x7,%cl
   9:	80 c1 03             	add    $0x3,%cl
   c:	38 c1                	cmp    %al,%cl
   e:	0f 8c 6e ff ff ff    	jl     0xffffff82
  14:	48 c7 c7 e8 42 ff 8d 	mov    $0xffffffff8dff42e8,%rdi
  1b:	e8 69 4f 79 00       	call   0x794f89
  20:	89 df                	mov    %ebx,%edi
  22:	e9 5b ff ff ff       	jmp    0xffffff82
  27:	66 90                	xchg   %ax,%ax
  29:	55                   	push   %rbp
* 2a:	53                   	push   %rbx <-- trapping instruction
  2b:	48 bb 00 00 00 00 00 	movabs $0xdffffc0000000000,%rbx
  32:	fc ff df
  35:	48 c7 c0 40 f1 9c 96 	mov    $0xffffffff969cf140,%rax
  3c:	48 c1 e8 03          	shr    $0x3,%rax