syzbot

cm109 1-1:0.0: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB 00000000c292c6d3 submitted while active
WARNING: CPU: 1 PID: 3620 at drivers/usb/core/urb.c:378 usb_submit_urb+0x14e2/0x18a0 drivers/usb/core/urb.c:378
Modules linked in:
CPU: 1 PID: 3620 Comm: syz-executor235 Not tainted 5.17.0-rc6-syzkaller-00046-g719fce7539cd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:usb_submit_urb+0x14e2/0x18a0 drivers/usb/core/urb.c:378
Code: 89 de e8 71 5b 0e fc 84 db 0f 85 a9 f3 ff ff e8 04 58 0e fc 4c 89 fe 48 c7 c7 a0 d5 4a 8a c6 05 3e c1 15 08 01 e8 eb 0d 9e 03 <0f> 0b e9 87 f3 ff ff 41 be ed ff ff ff e9 7c f3 ff ff e8 d7 57 0e
RSP: 0018:ffffc90000fd89d0 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888079ca81c0 RSI: ffffffff815f12d8 RDI: fffff520001fb12c
RBP: ffff88801b096580 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815eb96e R11: 0000000000000000 R12: 0000000000000046
R13: ffff88801b945058 R14: 00000000fffffff0 R15: ffff88801c7da300
FS:  0000555555b58300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6ced204109 CR3: 00000000191df000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 cm109_urb_irq_callback+0x44c/0xaa0 drivers/input/misc/cm109.c:422
 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1747
 dummy_timer+0x11f9/0x32b0 drivers/usb/gadget/udc/dummy_hcd.c:1987
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:trace_ext4_es_lookup_extent_enter include/trace/events/ext4.h:2244 [inline]
RIP: 0010:ext4_es_lookup_extent+0x891/0xcf0 fs/ext4/extents_status.c:929
Code: c9 68 ff 0f 0b e8 7f c9 68 ff 65 ff 05 38 57 f3 7d 48 c7 c0 a0 15 80 8d 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 <0f> 85 01 04 00 00 48 8b 05 f2 fc 70 0b e8 dd 87 53 ff 31 ff 89 c3
RSP: 0018:ffffc900028178f0 EFLAGS: 00000246
RAX: 1ffffffff1b002b4 RBX: 0000000000000001 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: ffffffff820f1881 RDI: 0000000000000003
RBP: ffff88806df202e0 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff820f114a R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90002817aac
 ext4_map_blocks+0x1f1/0x18a0 fs/ext4/inode.c:530
 ext4_getblk+0x553/0x6b0 fs/ext4/inode.c:849
 ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:902
 __ext4_read_dirblock+0x34/0xc10 fs/ext4/namei.c:116
 ext4_add_entry+0x77d/0xe90 fs/ext4/namei.c:2350
 ext4_add_nondir+0x90/0x290 fs/ext4/namei.c:2709
 ext4_symlink+0x873/0xd40 fs/ext4/namei.c:3363
 vfs_symlink fs/namei.c:4299 [inline]
 vfs_symlink+0x108/0x2c0 fs/namei.c:4284
 do_symlinkat+0x261/0x2e0 fs/namei.c:4328
 __do_sys_symlink fs/namei.c:4350 [inline]
 __se_sys_symlink fs/namei.c:4348 [inline]
 __x64_sys_symlink+0x75/0x90 fs/namei.c:4348
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f6ced1c5777
Code: 24 30 ba 22 00 00 00 4c 8b 74 24 28 64 c7 03 22 00 00 00 e9 76 fd ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffa0e87688 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 000000000000de8d RCX: 00007f6ced1c5777
RDX: ffffffffffffffc0 RSI: 00007f6ced204127 RDI: 00007f6ced204132
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fffa0e87100
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fffa0e876ac
R13: 00007fffa0e876e0 R14: 00007fffa0e876c0 R15: 0000000000000004
 </TASK>
----------------
Code disassembly (best guess):
   0:	c9                   	leaveq
   1:	68 ff 0f 0b e8       	pushq  $0xffffffffe80b0fff
   6:	7f c9                	jg     0xffffffd1
   8:	68 ff 65 ff 05       	pushq  $0x5ff65ff
   d:	38 57 f3             	cmp    %dl,-0xd(%rdi)
  10:	7d 48                	jge    0x5a
  12:	c7 c0 a0 15 80 8d    	mov    $0x8d8015a0,%eax
  18:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  1f:	fc ff df
  22:	48 c1 e8 03          	shr    $0x3,%rax
  26:	80 3c 10 00          	cmpb   $0x0,(%rax,%rdx,1)
* 2a:	0f 85 01 04 00 00    	jne    0x431 <-- trapping instruction
  30:	48 8b 05 f2 fc 70 0b 	mov    0xb70fcf2(%rip),%rax        # 0xb70fd29
  37:	e8 dd 87 53 ff       	callq  0xff538819
  3c:	31 ff                	xor    %edi,%edi
  3e:	89 c3                	mov    %eax,%ebx