WARNING in bcm5974_start_traffic/usb_submit

WARNING in bcm5974_start_traffic/usb_submit_urb
Status: upstream: reported C repro on 2019/11/08 13:54
Reported-by: syzbot+348331f63b034f89b622@syzkaller.appspotmail.com
First crash: 276d, last: 45d

Sample crash report:

------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 367 at drivers/usb/core/urb.c:478 usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 367 Comm: systemd-udevd Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 panic+0x2aa/0x6e1 kernel/panic.c:221
 __warn.cold+0x2f/0x30 kernel/panic.c:582
 report_bug+0x27b/0x2f0 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:175 [inline]
 fixup_bug arch/x86/kernel/traps.c:170 [inline]
 do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:267
 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478
Code: 4d 85 ed 74 46 e8 38 c2 d2 fd 4c 89 f7 e8 70 ac 16 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 00 52 3d 86 e8 40 96 a6 fd <0f> 0b e9 20 f4 ff ff e8 0c c2 d2 fd 0f 1f 44 00 00 e8 02 c2 d2 fd
RSP: 0018:ffff8881ce12f7d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff812a2d8d RDI: ffffed1039c25eec
RBP: ffff8881d0010300 R08: ffff8881ce170000 R09: ffffed103b646292
R10: ffff8881db23148f R11: ffffed103b646291 R12: 0000000000000001
R13: ffff8881d9ba5c00 R14: ffff8881d30180a0 R15: ffff8881d4275b00
 bcm5974_start_traffic drivers/input/mouse/bcm5974.c:799 [inline]
 bcm5974_start_traffic+0xbd/0x170 drivers/input/mouse/bcm5974.c:783
 bcm5974_open+0x9f/0x160 drivers/input/mouse/bcm5974.c:839
 input_open_device+0x16c/0x2c0 drivers/input/input.c:624
 evdev_open_device drivers/input/evdev.c:414 [inline]
 evdev_open+0x3e1/0x500 drivers/input/evdev.c:496
 chrdev_open+0x219/0x5c0 fs/char_dev.c:414
 do_dentry_open+0x4ac/0x1160 fs/open.c:797
 do_open fs/namei.c:3229 [inline]
 path_openat+0x1a0b/0x2740 fs/namei.c:3346
 do_filp_open+0x192/0x260 fs/namei.c:3373
 do_sys_openat2+0x585/0x7d0 fs/open.c:1148
 do_sys_open+0xc3/0x140 fs/open.c:1164
 do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x7f20bbfc8840
Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24
RSP: 002b:00007ffebdae21f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00005617a994ced0 RCX: 00007f20bbfc8840
RDX: 0000000000000000 RSI: 0000000000080000 RDI: 00005617a9961b50
RBP: 00005617a9961b50 R08: 00005617a86fd670 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000020
R13: 0000000000000000 R14: 0000800000000001 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (7):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci2-upstream-usb	2020/05/14 03:56	https://github.com/google/kasan.git usb-fuzzer	059e7e0f	a885920d	.config	log	report	syz	C	gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2019/11/08 02:46	https://github.com/google/kasan.git usb-fuzzer	d60bbfea	f39aff9e	.config	log	report	syz	C	gregkh@linuxfoundation.org, gustavo@embeddedor.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2020/06/26 16:05	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	fb574682	9506ea6d	.config	log	report			gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2020/06/20 18:40	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	f8f02d5c	c655ec77	.config	log	report			gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2020/06/11 03:06	https://github.com/google/kasan.git usb-fuzzer	2089c6ed	3ab7a05a	.config	log	report			gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2020/02/29 02:38	https://github.com/google/kasan.git usb-fuzzer	d6ff8147	c88c7b75	.config	log	report			gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
ci2-upstream-usb	2020/02/27 10:34	https://github.com/google/kasan.git usb-fuzzer	d6ff8147	40bcfdd5	.config	log	report			gregkh@linuxfoundation.org, ingrassia@epigenesys.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org