syzbot

cm109 2-1:0.8: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB ffff88802134d200 submitted while active
WARNING: CPU: 0 PID: 5842 at drivers/usb/core/urb.c:379 usb_submit_urb+0x14d5/0x1730 drivers/usb/core/urb.c:379
Modules linked in:
CPU: 0 UID: 0 PID: 5842 Comm: syz-executor115 Not tainted 6.14.0-syzkaller-03576-g1e1ba8d23dae #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:usb_submit_urb+0x14d5/0x1730 drivers/usb/core/urb.c:379
Code: fd eb cb bb fe ff ff ff e9 c6 f3 ff ff e8 93 2b a3 fa c6 05 43 fa 52 09 01 90 48 c7 c7 80 a1 4f 8c 48 89 de e8 cc d5 62 fa 90 <0f> 0b 90 90 e9 b6 fe ff ff bb f8 ff ff ff e9 96 f3 ff ff 48 89 ef
RSP: 0018:ffffc90000007a90 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff88802134d200 RCX: ffffffff817abe18
RDX: ffff88802fba8000 RSI: ffffffff817abe25 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000046
R13: ffff88807e17f858 R14: 000000000000000f R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff888124a54000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdae90b4ba8 CR3: 000000000e182000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 cm109_submit_ctl drivers/input/misc/cm109.c:380 [inline]
 cm109_urb_irq_callback+0x2e7/0xb70 drivers/input/misc/cm109.c:431
 __usb_hcd_giveback_urb+0x38a/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x180e/0x3a20 drivers/usb/gadget/udc/dummy_hcd.c:1994
 __run_hrtimer kernel/time/hrtimer.c:1791 [inline]
 __hrtimer_run_queues+0x1ff/0xad0 kernel/time/hrtimer.c:1855
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1872
 handle_softirqs+0x216/0x8e0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:566 [inline]
RIP: 0010:__mutex_lock+0x154/0xb00 kernel/locking/mutex.c:732
Code: d2 0f 85 66 07 00 00 8b 35 69 c0 4c 0f 85 f6 75 29 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 60 48 89 fa 48 c1 ea 03 80 3c 02 00 <0f> 85 4e 07 00 00 48 3b 5b 60 0f 85 e6 01 00 00 bf 01 00 00 00 e8
RSP: 0018:ffffc900030c79c0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffffff9065aa80 RCX: 1ffffffff35584d4
RDX: 1ffffffff20cb55c RSI: 0000000000000000 RDI: ffffffff9065aae0
RBP: ffffc900030c7b00 R08: ffffffff8b540fa6 R09: 0000000000000000
R10: ffffc900030c7b18 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000002 R14: 0000000000000000 R15: ffffc900030c7a40
 uevent_net_broadcast_untagged lib/kobject_uevent.c:317 [inline]
 kobject_uevent_net_broadcast lib/kobject_uevent.c:410 [inline]
 kobject_uevent_env+0xb36/0x1870 lib/kobject_uevent.c:608
 device_remove+0xc8/0x170 drivers/base/dd.c:567
 __device_release_driver drivers/base/dd.c:1273 [inline]
 device_release_driver_internal+0x44b/0x620 drivers/base/dd.c:1296
 driver_detach+0xd8/0x1b0 drivers/base/dd.c:1359
 bus_remove_driver+0x13b/0x2c0 drivers/base/bus.c:747
 driver_unregister+0x76/0xb0 drivers/base/driver.c:277
 usb_gadget_unregister_driver+0x49/0x70 drivers/usb/gadget/udc/core.c:1732
 raw_release+0x1ae/0x2b0 drivers/usb/gadget/legacy/raw_gadget.c:462
 __fput+0x3ff/0xb70 fs/file_table.c:465
 task_work_run+0x14d/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0xaea/0x2d60 kernel/exit.c:954
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1103
 __do_sys_exit_group kernel/exit.c:1114 [inline]
 __se_sys_exit_group kernel/exit.c:1112 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1112
 x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdae906a8f9
Code: Unable to access opcode bytes at 0x7fdae906a8cf.
RSP: 002b:00007ffc3760a278 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdae906a8f9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fdae90e5390 R08: ffffffffffffffb8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdae90e5390
R13: 0000000000000000 R14: 00007fdae90e90a0 R15: 00007fdae9038ab0
 </TASK>
----------------
Code disassembly (best guess):
   0:	d2 0f                	rorb   %cl,(%rdi)
   2:	85 66 07             	test   %esp,0x7(%rsi)
   5:	00 00                	add    %al,(%rax)
   7:	8b 35 69 c0 4c 0f    	mov    0xf4cc069(%rip),%esi        # 0xf4cc076
   d:	85 f6                	test   %esi,%esi
   f:	75 29                	jne    0x3a
  11:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  18:	fc ff df
  1b:	48 8d 7b 60          	lea    0x60(%rbx),%rdi
  1f:	48 89 fa             	mov    %rdi,%rdx
  22:	48 c1 ea 03          	shr    $0x3,%rdx
  26:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
* 2a:	0f 85 4e 07 00 00    	jne    0x77e <-- trapping instruction
  30:	48 3b 5b 60          	cmp    0x60(%rbx),%rbx
  34:	0f 85 e6 01 00 00    	jne    0x220
  3a:	bf 01 00 00 00       	mov    $0x1,%edi
  3f:	e8                   	.byte 0xe8