syzbot

cm109 1-1:0.8: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB ffff888145fd4900 submitted while active
WARNING: CPU: 1 PID: 23 at drivers/usb/core/urb.c:379 usb_submit_urb+0xfc1/0x1830 drivers/usb/core/urb.c:379
Modules linked in:
CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:usb_submit_urb+0xfc1/0x1830 drivers/usb/core/urb.c:379
Code: 44 89 f2 e8 a1 d6 00 fa e9 13 fc ff ff e8 c7 ed 93 fa c6 05 2c bc 61 08 01 90 48 c7 c7 80 fb 34 8c 48 89 de e8 60 8c 57 fa 90 <0f> 0b 90 90 e9 b7 f0 ff ff e8 a1 ed 93 fa eb 11 e8 9a ed 93 fa bd
RSP: 0018:ffffc90000a087b8 EFLAGS: 00010046
RAX: 150d711d5bb61700 RBX: ffff888145fd4900 RCX: ffff88801cee5a00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: 000000000000000f R08: ffff8880b8724253 R09: 1ffff110170e484a
R10: dffffc0000000000 R11: ffffed10170e484b R12: dffffc0000000000
R13: ffff888030e2b030 R14: ffff888145fd4908 R15: 0000000000000820
FS:  0000000000000000(0000) GS:ffff888125d1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560e33050f28 CR3: 0000000077357000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 cm109_submit_ctl drivers/input/misc/cm109.c:380 [inline]
 cm109_urb_irq_callback+0x709/0xca0 drivers/input/misc/cm109.c:431
 __usb_hcd_giveback_urb+0x41a/0x690 drivers/usb/core/hcd.c:1663
 dummy_timer+0x862/0x4550 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:finish_task_switch+0x26b/0x950 kernel/sched/core.c:5225
Code: 0f 84 3c 01 00 00 48 85 db 0f 85 63 01 00 00 0f 1f 44 00 00 4c 8b 75 d0 4c 89 e7 e8 7f 16 eb 09 e8 7a 3e 36 00 fb 4c 8b 65 c0 <49> 8d bc 24 18 16 00 00 48 89 f8 48 c1 e8 03 42 0f b6 04 28 84 c0
RSP: 0018:ffffc900001d7a38 EFLAGS: 00000282
RAX: 150d711d5bb61700 RBX: 0000000000000000 RCX: 150d711d5bb61700
RDX: 0000000000000000 RSI: ffffffff8be33660 RDI: ffffffff81911696
RBP: ffffc900001d7a90 R08: ffffffff8fa38437 R09: 1ffffffff1f47086
R10: dffffc0000000000 R11: fffffbfff1f47087 R12: ffff88801cee5a00
R13: dffffc0000000000 R14: ffff88802fad5a00 R15: ffff8880b873ab58
 context_switch kernel/sched/core.c:5360 [inline]
 __schedule+0x17a0/0x4cc0 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:7058
 smpboot_thread_fn+0x5bd/0xa60 kernel/smpboot.c:156
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	0f 84 3c 01 00 00    	je     0x142
   6:	48 85 db             	test   %rbx,%rbx
   9:	0f 85 63 01 00 00    	jne    0x172
   f:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  14:	4c 8b 75 d0          	mov    -0x30(%rbp),%r14
  18:	4c 89 e7             	mov    %r12,%rdi
  1b:	e8 7f 16 eb 09       	call   0x9eb169f
  20:	e8 7a 3e 36 00       	call   0x363e9f
  25:	fb                   	sti
  26:	4c 8b 65 c0          	mov    -0x40(%rbp),%r12
* 2a:	49 8d bc 24 18 16 00 	lea    0x1618(%r12),%rdi <-- trapping instruction
  31:	00
  32:	48 89 f8             	mov    %rdi,%rax
  35:	48 c1 e8 03          	shr    $0x3,%rax
  39:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
  3e:	84 c0                	test   %al,%al