program:
r0 = syz_usb_connect(0x3, 0x3c, &(0x7f0000000380)=ANY=[@ANYBLOB="120101000814c910be0632a2f333010203010902120001000000000904"], 0x0)
syz_usb_control_io$uac1(r0, 0x0, 0x0)
r1 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r1, &(0x7f0000000140)={0xa, 0xe22, 0x0, @loopback={0xff00000000000000}}, 0x1c)
connect$inet6(r1, &(0x7f0000000300)={0xa, 0x0, 0x0, @mcast1, 0x6}, 0x1c)
syz_emit_ethernet(0x3e, &(0x7f0000000200)={@link_local={0x1, 0x80, 0xc2, 0x3}, @dev, @void, {@ipv6={0x86dd, @udp={0x0, 0x6, "010100", 0x8, 0x11, 0x0, @private2, @mcast2, {[], {0x0, 0xe22, 0x8}}}}}}, 0x0)
syz_usb_control_io$printer(r0, 0x0, 0x0)
r2 = syz_open_dev$I2C(&(0x7f00000000c0), 0xc, 0x88000)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000020000000900010073797a300000000040000000030a09020000000000000000020000000900010073797a30000000000900030073797a3200000000140004800800014000000000080002400000000014000000110001"], 0x88}}, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000440)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x5}}, [@NFT_MSG_NEWRULE={0x64, 0x6, 0xa, 0x40b, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x38, 0x4, 0x0, 0x1, [{0x34, 0x1, 0x0, 0x1, @target={{0xb}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_TARGET_NAME={0x9, 0x1, 'MARK\x00'}, @NFTA_TARGET_INFO={0xc, 0x3, "02b51112d439c592"}, @NFTA_TARGET_REV={0x8, 0x2, 0x1, 0x0, 0x2}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x8c}}, 0x0)
ioctl$I2C_RDWR(r2, 0x707, &(0x7f0000000080)={&(0x7f0000000580)=[{0x4, 0x1010, 0x0, 0x0}, {0xc, 0xf200, 0x0, 0x0}], 0x2})
ioctl$I2C_SMBUS(r2, 0x720, &(0x7f00000001c0)={0x0, 0x0, 0x1, &(0x7f0000000180)={0x15, "4f8d6857cc31e1a25d0e93b478a8758f882f5aef5a559def2391099800da670bc2"}})
sendmsg$IPSET_CMD_SAVE(r3, &(0x7f0000000400)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f0000000280)={&(0x7f00000005c0)={0x4c, 0x8, 0x6, 0x3, 0x0, 0x0, {0x0, 0x0, 0x1}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz2\x00'}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}]}, 0x4c}}, 0x20000801)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r5, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000002c0)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWFLOWTABLE={0x58, 0x16, 0xa, 0x1, 0x0, 0x0, {0x1}, [@NFTA_FLOWTABLE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0x2c, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_DEVS={0x18, 0x3, 0x0, 0x1, [{0x14, 0x1, 'veth1_to_bond\x00'}]}, @NFTA_FLOWTABLE_HOOK_PRIORITY={0x8}]}]}, @NFT_MSG_DELFLOWTABLE={0x6c, 0x16, 0xa, 0x101, 0xb00, 0x0, {0x1}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_FLOWTABLE_HOOK={0x40, 0x3, 0x0, 0x1, [@NFTA_FLOWTABLE_HOOK_NUM={0x8}, @NFTA_FLOWTABLE_HOOK_DEVS={0x2c, 0x3, 0x0, 0x1, [{0x14, 0x1, 'geneve0\x00'}, {0x14, 0x1, 'veth1_to_bond\x00'}]}, @NFTA_FLOWTABLE_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x10}]}]}], {0x14, 0x10}}, 0x10c}}, 0x0)

[   89.291540][ T5327] Bluetooth: hci0: command tx timeout
[   89.687169][ T1229] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   89.837150][ T1229] usb 5-1: Using ep0 maxpacket: 16
[   89.844800][ T1229] usb 5-1: New USB device found, idVendor=06be, idProduct=a232, bcdDevice=33.f3
[   89.850999][ T1229] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   89.872340][ T1229] usb 5-1: Product: syz
[   89.874943][ T1229] usb 5-1: Manufacturer: syz
[   89.879535][ T1229] usb 5-1: SerialNumber: syz
[   89.894672][ T1229] usb 5-1: config 0 descriptor??
[   90.337659][ T1229] dvb-usb: found a 'AME DTV-5100 USB2.0 DVB-T' in warm state.
[   90.348186][ T1229] dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
[   90.370356][ T1229] dvbdev: DVB: registering new adapter (AME DTV-5100 USB2.0 DVB-T)
[   90.378871][ T1229] usb 5-1: media controller created
[   90.438473][ T1229] dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
[   91.038021][ T5350] dtv5100: wlen = 0, aborting.
[   91.045644][ T1229] zl10353_read_register: readreg error (reg=127, ret==0)
[   91.058241][ T1229] dvb-usb: no frontend was attached by 'AME DTV-5100 USB2.0 DVB-T'
[   91.070948][ T5351] ------------[ cut here ]------------
[   91.082378][ T5351] usb 5-1: BOGUS control dir, pipe 80000280 doesn't match bRequestType c0
[   91.091161][ T5351] WARNING: drivers/usb/core/urb.c:414 at usb_submit_urb+0x105c/0x18d0, CPU#0: syz.0.0/5351
[   91.106097][ T5351] Modules linked in:
[   91.110577][ T5351] CPU: 0 UID: 0 PID: 5351 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   91.121426][ T5351] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   91.139314][ T5351] RIP: 0010:usb_submit_urb+0x111c/0x18d0
[   91.145665][ T5351] Code: b8 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 a7 05 00 00 45 0f b6 45 00 48 8b 3c 24 48 8b 74 24 20 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 b7 f2 ff ff 89 e9
[   91.167742][ T5351] RSP: 0018:ffffc9000aaa7560 EFLAGS: 00010246
[   91.173662][ T5351] RAX: 0000000000000000 RBX: ffff8880333f8000 RCX: 0000000080000280
[   91.183657][ T5351] RDX: ffff888038256a00 RSI: ffffffff8c341a80 RDI: ffffffff8faf0420
[   91.196657][ T5351] RBP: 1ffff11006253a18 R08: 00000000000000c0 R09: 0000000000000000
[   91.207298][ T5351] R10: ffffc9000aaa7660 R11: fffff52001554ed8 R12: ffff8880372e7100
[   91.222226][ T5351] R13: ffff88803129d0c0 R14: 0000000080000280 R15: ffff888038256a00
[   91.232492][ T5351] FS:  00007f9b444066c0(0000) GS:ffff88808d22a000(0000) knlGS:0000000000000000
[   91.241425][ T5351] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   91.245363][ T5351] CR2: 00007f9b443e4fc8 CR3: 000000001fc6e000 CR4: 0000000000352ef0
[   91.250060][ T5351] Call Trace:
[   91.252606][ T5351]  <TASK>
[   91.254178][ T5351]  ? __init_swait_queue_head+0xa9/0x150
[   91.257204][ T5351]  usb_start_wait_urb+0x115/0x4f0
[   91.272548][ T5351]  ? __pfx_usb_start_wait_urb+0x10/0x10
[   91.275879][ T5351]  usb_control_msg+0x232/0x3e0
[   91.278528][ T5351]  dtv5100_i2c_msg+0x231/0x2f0
[   91.280899][ T5351]  dtv5100_i2c_xfer+0x1a4/0x3c0
[   91.294226][ T5351]  __i2c_transfer+0x871/0x2110
[   91.297751][ T5351]  ? lockdep_hardirqs_on+0x98/0x140
[   91.301490][ T5351]  ? __pfx___i2c_transfer+0x10/0x10
[   91.304579][ T5351]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   91.307546][ T5351]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   91.310571][ T5351]  __i2c_smbus_xfer+0xf80/0x1e40
[   91.323715][ T5351]  ? rt_mutex_slowlock+0x1c9/0x6b0
[   91.332604][ T5351]  ? __pfx_rt_mutex_slowlock+0x10/0x10
[   91.335129][ T5351]  ? __pfx___i2c_smbus_xfer+0x10/0x10
[   91.338742][ T5351]  ? lockdep_hardirqs_on+0x98/0x140
[   91.341229][ T5351]  ? rt_mutex_lock_nested+0x172/0x1e0
[   91.363985][ T5351]  i2c_smbus_xfer+0x275/0x3c0
[   91.371163][ T5351]  ? __pfx_i2c_smbus_xfer+0x10/0x10
[   91.373453][ T5351]  i2cdev_ioctl_smbus+0x1cd/0x750
[   91.375581][ T5351]  ? __pfx_i2cdev_ioctl_smbus+0x10/0x10
[   91.378003][ T5351]  i2cdev_ioctl+0x5d3/0x820
[   91.380041][ T5351]  ? __pfx_i2cdev_ioctl+0x10/0x10
[   91.412745][ T5351]  ? __fget_files+0x2a/0x420
[   91.415628][ T5351]  ? bpf_lsm_file_ioctl+0x9/0x20
[   91.418673][ T5351]  ? __pfx_i2cdev_ioctl+0x10/0x10
[   91.421749][ T5351]  __se_sys_ioctl+0xfc/0x170
[   91.437997][ T5351]  do_syscall_64+0xfa/0xf80
[   91.440392][ T5351]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   91.443669][ T5351]  ? clear_bhb_loop+0x60/0xb0
[   91.446042][ T5351]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   91.454071][ T5351] RIP: 0033:0x7f9b4358f7c9
[   91.456660][ T5351] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   91.482897][ T5351] RSP: 002b:00007f9b44406038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   91.486870][ T5351] RAX: ffffffffffffffda RBX: 00007f9b437e6090 RCX: 00007f9b4358f7c9
[   91.495894][ T5351] RDX: 00002000000001c0 RSI: 0000000000000720 RDI: 0000000000000005
[   91.503161][ T5351] RBP: 00007f9b43613f91 R08: 0000000000000000 R09: 0000000000000000
[   91.511465][ T5351] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   91.517374][ T5351] R13: 00007f9b437e6128 R14: 00007f9b437e6090 R15: 00007ffc355059a8
[   91.521654][ T5351]  </TASK>
[   91.523347][ T5351] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   91.526677][ T5351] CPU: 0 UID: 0 PID: 5351 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   91.532757][ T5351] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   91.539896][ T5351] Call Trace:
[   91.542388][ T5351]  <TASK>
[   91.544776][ T5351]  dump_stack_lvl+0x99/0x250
[   91.548373][ T5351]  ? __asan_memcpy+0x40/0x70
[   91.551242][ T5351]  ? __pfx_dump_stack_lvl+0x10/0x10
[   91.555758][ T5351]  ? __pfx__printk+0x10/0x10
[   91.558941][ T5351]  vpanic+0x237/0x6d0
[   91.560841][ T5351]  ? __pfx_vpanic+0x10/0x10
[   91.563085][ T5351]  ? is_bpf_text_address+0x292/0x2b0
[   91.565555][ T5351]  ? is_bpf_text_address+0x26/0x2b0
[   91.569073][ T5351]  panic+0xb9/0xc0
[   91.573362][ T5351]  ? __pfx_panic+0x10/0x10
[   91.577113][ T5351]  __warn+0x317/0x4b0
[   91.580034][ T5351]  ? usb_submit_urb+0x105c/0x18d0
[   91.583828][ T5351]  ? usb_submit_urb+0x105c/0x18d0
[   91.586091][ T5351]  __report_bug+0x288/0x500
[   91.588017][ T5351]  ? usb_submit_urb+0x105c/0x18d0
[   91.590098][ T5351]  ? __pfx___report_bug+0x10/0x10
[   91.603566][ T5351]  report_bug_entry+0x19a/0x290
[   91.605868][ T5351]  ? usb_submit_urb+0x111c/0x18d0
[   91.608272][ T5351]  ? usb_submit_urb+0x1121/0x18d0
[   91.610691][ T5351]  handle_bug+0xca/0x200
[   91.622759][ T5351]  exc_invalid_op+0x1a/0x50
[   91.624737][ T5351]  asm_exc_invalid_op+0x1a/0x20
[   91.627027][ T5351] RIP: 0010:usb_submit_urb+0x111c/0x18d0
[   91.629579][ T5351] Code: b8 00 00 00 00 00 fc ff df 0f b6 44 05 00 84 c0 0f 85 a7 05 00 00 45 0f b6 45 00 48 8b 3c 24 48 8b 74 24 20 4c 89 fa 44 89 f1 <67> 48 0f b9 3a 49 bf 00 00 00 00 00 fc ff df e9 b7 f2 ff ff 89 e9
[   91.650712][ T5351] RSP: 0018:ffffc9000aaa7560 EFLAGS: 00010246
[   91.663544][ T5351] RAX: 0000000000000000 RBX: ffff8880333f8000 RCX: 0000000080000280
[   91.667530][ T5351] RDX: ffff888038256a00 RSI: ffffffff8c341a80 RDI: ffffffff8faf0420
[   91.673282][ T5351] RBP: 1ffff11006253a18 R08: 00000000000000c0 R09: 0000000000000000
[   91.677524][ T5351] R10: ffffc9000aaa7660 R11: fffff52001554ed8 R12: ffff8880372e7100
[   91.681369][ T5351] R13: ffff88803129d0c0 R14: 0000000080000280 R15: ffff888038256a00
[   91.686275][ T5351]  ? __init_swait_queue_head+0xa9/0x150
[   91.692018][ T5351]  usb_start_wait_urb+0x115/0x4f0
[   91.697218][ T5351]  ? __pfx_usb_start_wait_urb+0x10/0x10
[   91.700400][ T5351]  usb_control_msg+0x232/0x3e0
[   91.703259][ T5351]  dtv5100_i2c_msg+0x231/0x2f0
[   91.706033][ T5351]  dtv5100_i2c_xfer+0x1a4/0x3c0
[   91.713776][ T5351]  __i2c_transfer+0x871/0x2110
[   91.716117][ T5351]  ? lockdep_hardirqs_on+0x98/0x140
[   91.718539][ T5351]  ? __pfx___i2c_transfer+0x10/0x10
[   91.721046][ T5351]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   91.734173][ T5351]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   91.737208][ T5351]  __i2c_smbus_xfer+0xf80/0x1e40
[   91.739638][ T5351]  ? rt_mutex_slowlock+0x1c9/0x6b0
[   91.752346][ T5351]  ? __pfx_rt_mutex_slowlock+0x10/0x10
[   91.755045][ T5351]  ? __pfx___i2c_smbus_xfer+0x10/0x10
[   91.757306][ T5351]  ? lockdep_hardirqs_on+0x98/0x140
[   91.759570][ T5351]  ? rt_mutex_lock_nested+0x172/0x1e0
[   91.771758][ T5351]  i2c_smbus_xfer+0x275/0x3c0
[   91.774086][ T5351]  ? __pfx_i2c_smbus_xfer+0x10/0x10
[   91.776405][ T5351]  i2cdev_ioctl_smbus+0x1cd/0x750
[   91.778548][ T5351]  ? __pfx_i2cdev_ioctl_smbus+0x10/0x10
[   91.781538][ T5351]  i2cdev_ioctl+0x5d3/0x820
[   91.785084][ T5351]  ? __pfx_i2cdev_ioctl+0x10/0x10
[   91.787956][ T5351]  ? __fget_files+0x2a/0x420
[   91.790659][ T5351]  ? bpf_lsm_file_ioctl+0x9/0x20
[   91.793972][ T5351]  ? __pfx_i2cdev_ioctl+0x10/0x10
[   91.797415][ T5351]  __se_sys_ioctl+0xfc/0x170
[   91.800145][ T5351]  do_syscall_64+0xfa/0xf80
[   91.803871][ T5351]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   91.807355][ T5351]  ? clear_bhb_loop+0x60/0xb0
[   91.810064][ T5351]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   91.813514][ T5351] RIP: 0033:0x7f9b4358f7c9
[   91.816116][ T5351] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   91.830495][ T5351] RSP: 002b:00007f9b44406038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   91.835404][ T5351] RAX: ffffffffffffffda RBX: 00007f9b437e6090 RCX: 00007f9b4358f7c9
[   91.839648][ T5351] RDX: 00002000000001c0 RSI: 0000000000000720 RDI: 0000000000000005
[   91.843076][ T5351] RBP: 00007f9b43613f91 R08: 0000000000000000 R09: 0000000000000000
[   91.847110][ T5351] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   91.851847][ T5351] R13: 00007f9b437e6128 R14: 00007f9b437e6090 R15: 00007ffc355059a8
[   91.856770][ T5351]  </TASK>
[   91.859003][ T5351] Kernel Offset: disabled
[   91.863527][ T5351] Rebooting in 86400 seconds..