./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor665428032 <...> Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. execve("./syz-executor665428032", ["./syz-executor665428032"], 0x7fff0e376a00 /* 10 vars */) = 0 brk(NULL) = 0x555555ce0000 brk(0x555555ce0c40) = 0x555555ce0c40 arch_prctl(ARCH_SET_FS, 0x555555ce0300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor665428032", 4096) = 27 brk(0x555555d01c40) = 0x555555d01c40 brk(0x555555d02000) = 0x555555d02000 mprotect(0x7fdce5eb5000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffe23b1cf40) = 0 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 [ 53.600373][ T26] audit: type=1400 audit(1667859518.337:75): avc: denied { execmem } for pid=3614 comm="syz-executor665" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 53.621871][ T26] audit: type=1400 audit(1667859518.357:76): avc: denied { read write } for pid=3614 comm="syz-executor665" name="raw-gadget" dev="devtmpfs" ino=731 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 53.653551][ T26] audit: type=1400 audit(1667859518.357:77): avc: denied { open } for pid=3614 comm="syz-executor665" path="/dev/raw-gadget" dev="devtmpfs" ino=731 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 53.677469][ T26] audit: type=1400 audit(1667859518.367:78): avc: denied { ioctl } for pid=3614 comm="syz-executor665" path="/dev/raw-gadget" dev="devtmpfs" ino=731 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 18 [ 53.893178][ T3271] usb 1-1: new high-speed USB device number 2 using dummy_hcd ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 18 [ 54.133121][ T3271] usb 1-1: Using ep0 maxpacket: 16 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 9 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 [ 54.293709][ T3271] usb 1-1: unable to get BOS descriptor or descriptor too short ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 330 [ 54.373772][ T3271] usb 1-1: config 7 has an invalid interface number: 112 but max is 2 [ 54.382029][ T3271] usb 1-1: config 7 has an invalid interface number: 208 but max is 2 [ 54.390225][ T3271] usb 1-1: config 7 has an invalid interface number: 86 but max is 2 [ 54.398321][ T3271] usb 1-1: config 7 has no interface number 0 [ 54.404409][ T3271] usb 1-1: config 7 has no interface number 1 [ 54.410478][ T3271] usb 1-1: config 7 has no interface number 2 [ 54.416884][ T3271] usb 1-1: config 7 interface 208 altsetting 163 endpoint 0x7 has invalid maxpacket 1023, setting to 64 [ 54.428143][ T3271] usb 1-1: config 7 interface 208 altsetting 163 endpoint 0xA has an invalid bInterval 63, changing to 9 [ 54.439399][ T3271] usb 1-1: config 7 interface 208 altsetting 163 has a duplicate endpoint with address 0x7, skipping [ 54.450281][ T3271] usb 1-1: config 7 interface 208 altsetting 163 endpoint 0x1 has invalid maxpacket 1023, setting to 64 [ 54.461422][ T3271] usb 1-1: config 7 interface 208 altsetting 163 endpoint 0x9 has invalid maxpacket 1024, setting to 64 [ 54.472560][ T3271] usb 1-1: config 7 interface 208 altsetting 163 bulk endpoint 0x5 has invalid maxpacket 64 [ 54.482662][ T3271] usb 1-1: config 7 interface 208 altsetting 163 has a duplicate endpoint with address 0x2, skipping [ 54.493553][ T3271] usb 1-1: config 7 interface 208 altsetting 163 endpoint 0xF has invalid maxpacket 1024, setting to 64 [ 54.504691][ T3271] usb 1-1: config 7 interface 208 altsetting 163 has a duplicate endpoint with address 0x9, skipping ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 [ 54.515594][ T3271] usb 1-1: config 7 interface 208 altsetting 163 has a duplicate endpoint with address 0xA, skipping [ 54.526657][ T3271] usb 1-1: config 7 interface 208 altsetting 163 endpoint 0xD has invalid maxpacket 1024, setting to 64 [ 54.538120][ T3271] usb 1-1: config 7 interface 86 altsetting 169 has an invalid endpoint with address 0x80, skipping [ 54.548927][ T3271] usb 1-1: config 7 interface 112 has no altsetting 0 [ 54.555741][ T3271] usb 1-1: config 7 interface 208 has no altsetting 0 [ 54.562509][ T3271] usb 1-1: config 7 interface 86 has no altsetting 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffe23b1bf30) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffe23b1cf40) = 0 ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0x3) = 0 ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffe23b1bf30) = 0 [ 54.803631][ T3271] usb 1-1: string descriptor 0 read error: -22 [ 54.809924][ T3271] usb 1-1: New USB device found, idVendor=077d, idProduct=627a, bcdDevice= 0.10 [ 54.818988][ T3271] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 54.867945][ T3271] ------------[ cut here ]------------ [ 54.873768][ T3271] usb 1-1: BOGUS urb xfer, pipe 1 != type 3 [ 54.879927][ T3271] WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 [ 54.889551][ T3271] Modules linked in: [ 54.893506][ T3271] CPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0 [ 54.901840][ T3271] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 54.911935][ T3271] Workqueue: usb_hub_wq hub_event [ 54.917010][ T3271] RIP: 0010:usb_submit_urb+0xed2/0x1880 [ 54.922547][ T3271] Code: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7 [ 54.942206][ T3271] RSP: 0018:ffffc90003876dd0 EFLAGS: 00010282 [ 54.948308][ T3271] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 54.956312][ T3271] RDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac [ 54.964316][ T3271] RBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000 [ 54.972274][ T3271] R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001 [ 54.980970][ T3271] R13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200 [ 54.988968][ T3271] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 54.997944][ T3271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 55.004562][ T3271] CR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0 [ 55.012528][ T3271] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 55.020558][ T3271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 55.028580][ T3271] Call Trace: [ 55.031872][ T3271] [ 55.034847][ T3271] ? __init_swait_queue_head+0xc6/0x150 [ 55.040418][ T3271] usb_start_wait_urb+0x101/0x4b0 [ 55.045477][ T3271] ? usb_api_blocking_completion+0xa0/0xa0 [ 55.051292][ T3271] ? memset+0x20/0x40 [ 55.055323][ T3271] usb_bulk_msg+0x226/0x550 [ 55.059833][ T3271] shark_write_reg+0x1ff/0x2e0 exit_group(0) = ? +++ exited with 0 +++ [ 55.064646][ T3271] ? devm_of_led_get+0x110/0