syzbot

cm109 1-1:0.8: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB ffff8880166a2a00 submitted while active
WARNING: CPU: 0 PID: 5044 at drivers/usb/core/urb.c:379 usb_submit_urb+0x15b3/0x1820 drivers/usb/core/urb.c:379
Modules linked in:
CPU: 0 PID: 5044 Comm: syz-executor340 Not tainted 6.5.0-syzkaller-08894-gb97d64c72259 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:usb_submit_urb+0x15b3/0x1820 drivers/usb/core/urb.c:379
Code: cd 0e fe eb cb bb fe ff ff ff e9 e1 f2 ff ff e8 83 55 44 fb 48 89 de 48 c7 c7 c0 12 20 8b c6 05 d9 7c 54 08 01 e8 dd 9f 0a fb <0f> 0b e9 ba fe ff ff bb f8 ff ff ff e9 b5 f2 ff ff 48 89 ef e8 04
RSP: 0018:ffffc90000007948 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff8880166a2a00 RCX: 0000000000000100
RDX: ffff88801ef91dc0 RSI: ffffffff814d8ca6 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000046
R13: ffff888028a24058 R14: 000000000000000f R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78e3b14af8 CR3: 000000000c776000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 cm109_urb_irq_callback+0x2e7/0xb50 drivers/input/misc/cm109.c:422
 __usb_hcd_giveback_urb+0x359/0x5c0 drivers/usb/core/hcd.c:1671
 usb_hcd_giveback_urb+0x389/0x430 drivers/usb/core/hcd.c:1754
 dummy_timer+0x1415/0x35f0 drivers/usb/gadget/udc/dummy_hcd.c:1987
 call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x764/0xb10 kernel/time/timer.c:2022
 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
 __do_softirq+0x218/0x965 kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1074
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:write_comp_data+0x0/0x90 kernel/kcov.c:236
Code: 65 8b 15 fb 7f 7c 7e 81 e2 00 01 ff 00 75 10 65 48 8b 04 25 80 ba 03 00 48 8b 80 f8 15 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 <65> 8b 05 d1 7f 7c 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49
RSP: 0018:ffffc9000397f758 EFLAGS: 00000206
RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff813a1075
RDX: 0000000000000005 RSI: 0000000000000006 RDI: 0000000000000001
RBP: ffffffff8a69d140 R08: 0000000000000001 R09: 0000000000000005
R10: 0000000000000005 R11: ffffffff814f226e R12: 0000000000000005
R13: 0000000000000001 R14: 0000000000000008 R15: ffffc9000397f845
 __sanitizer_cov_trace_switch+0x54/0x90 kernel/kcov.c:341
 unwind_next_frame+0x6b5/0x2390 arch/x86/kernel/unwind_orc.c:515
 arch_stack_walk+0xfa/0x170 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
 dummy_free_request drivers/usb/gadget/udc/dummy_hcd.c:683 [inline]
 dummy_free_request+0x56/0x80 drivers/usb/gadget/udc/dummy_hcd.c:672
 dev_free+0x1c8/0x700 drivers/usb/gadget/legacy/raw_gadget.c:216
 kref_put include/linux/kref.h:65 [inline]
 raw_release+0x184/0x2e0 drivers/usb/gadget/legacy/raw_gadget.c:426
 __fput+0x3f7/0xa70 fs/file_table.c:384
 task_work_run+0x14d/0x240 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xa99/0x2a20 kernel/exit.c:874
 do_group_exit+0xd4/0x2a0 kernel/exit.c:1024
 __do_sys_exit_group kernel/exit.c:1035 [inline]
 __se_sys_exit_group kernel/exit.c:1033 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1033
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f78e3aca809
Code: Unable to access opcode bytes at 0x7f78e3aca7df.
RSP: 002b:00007ffc5d4f7b28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f78e3aca809
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007f78e3b46390 R08: ffffffffffffffb8 R09: 0000000000000006
R10: 00007ffc5d4f7897 R11: 0000000000000246 R12: 00007f78e3b46390
R13: 0000000000000000 R14: 00007f78e3b4a0a0 R15: 00007f78e3a98aa0
 </TASK>
----------------
Code disassembly (best guess):
   0:	65 8b 15 fb 7f 7c 7e 	mov    %gs:0x7e7c7ffb(%rip),%edx        # 0x7e7c8002
   7:	81 e2 00 01 ff 00    	and    $0xff0100,%edx
   d:	75 10                	jne    0x1f
   f:	65 48 8b 04 25 80 ba 	mov    %gs:0x3ba80,%rax
  16:	03 00
  18:	48 8b 80 f8 15 00 00 	mov    0x15f8(%rax),%rax
  1f:	c3                   	ret
  20:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  27:	00 00 00
* 2a:	65 8b 05 d1 7f 7c 7e 	mov    %gs:0x7e7c7fd1(%rip),%eax        # 0x7e7c8002 <-- trapping instruction
  31:	49 89 f1             	mov    %rsi,%r9
  34:	89 c6                	mov    %eax,%esi
  36:	49 89 d2             	mov    %rdx,%r10
  39:	81 e6 00 01 00 00    	and    $0x100,%esi
  3f:	49                   	rex.WB