./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor767481250 <...> Warning: Permanently added '10.128.1.26' (ECDSA) to the list of known hosts. execve("./syz-executor767481250", ["./syz-executor767481250"], 0x7fffe87466e0 /* 10 vars */) = 0 brk(NULL) = 0x555555bc9000 brk(0x555555bc9c40) = 0x555555bc9c40 arch_prctl(ARCH_SET_FS, 0x555555bc9300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor767481250", 4096) = 27 brk(0x555555beac40) = 0x555555beac40 brk(0x555555beb000) = 0x555555beb000 mprotect(0x7f6bf0c97000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffea2d39e70) = 0 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 18 syzkaller login: [ 37.991523][ T917] usb 1-1: new full-speed USB device number 2 using dummy_hcd ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 18 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 10 [ 38.401539][ T917] usb 1-1: unable to get BOS descriptor or descriptor too short ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 9 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 [ 38.441591][ T917] usb 1-1: not running at top speed; connect to a high speed hub ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 812 [ 38.521523][ T917] usb 1-1: config 6 has an invalid interface number: 155 but max is 3 [ 38.529742][ T917] usb 1-1: config 6 has an invalid interface association descriptor of length 2, skipping [ 38.539697][ T917] usb 1-1: config 6 has an invalid interface number: 73 but max is 3 [ 38.547819][ T917] usb 1-1: config 6 contains an unexpected descriptor of type 0x1, skipping [ 38.556640][ T917] usb 1-1: config 6 has an invalid interface number: 66 but max is 3 [ 38.564871][ T917] usb 1-1: config 6 has an invalid interface association descriptor of length 2, skipping [ 38.574839][ T917] usb 1-1: config 6 has an invalid interface number: 196 but max is 3 [ 38.583217][ T917] usb 1-1: config 6 has no interface number 0 [ 38.589293][ T917] usb 1-1: config 6 has no interface number 1 [ 38.595405][ T917] usb 1-1: config 6 has no interface number 2 [ 38.601491][ T917] usb 1-1: config 6 has no interface number 3 [ 38.608259][ T917] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0x86 has invalid wMaxPacketSize 0 [ 38.618181][ T917] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0x6 has invalid maxpacket 512, setting to 64 [ 38.629152][ T917] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0xE has invalid maxpacket 512, setting to 64 [ 38.640068][ T917] usb 1-1: config 6 interface 155 altsetting 3 has a duplicate endpoint with address 0x6, skipping [ 38.650903][ T917] usb 1-1: config 6 interface 155 altsetting 3 has a duplicate endpoint with address 0x6, skipping [ 38.661635][ T917] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0x9 has invalid maxpacket 23595, setting to 64 [ 38.672813][ T917] usb 1-1: config 6 interface 155 altsetting 3 has a duplicate endpoint with address 0xE, skipping [ 38.683536][ T917] usb 1-1: config 6 interface 155 altsetting 3 endpoint 0x3 has invalid maxpacket 1023, setting to 64 [ 38.694501][ T917] usb 1-1: config 6 interface 73 altsetting 1 has an invalid endpoint with address 0x80, skipping [ 38.705221][ T917] usb 1-1: config 6 interface 73 altsetting 1 endpoint 0xB has invalid maxpacket 1023, setting to 64 [ 38.716433][ T917] usb 1-1: config 6 interface 73 altsetting 1 has an invalid endpoint with address 0x0, skipping [ 38.727097][ T917] usb 1-1: config 6 interface 73 altsetting 1 endpoint 0xC has invalid wMaxPacketSize 0 [ 38.736936][ T917] usb 1-1: config 6 interface 73 altsetting 1 endpoint 0xA has invalid maxpacket 1024, setting to 64 [ 38.748097][ T917] usb 1-1: config 6 interface 73 altsetting 1 has a duplicate endpoint with address 0x6, skipping [ 38.758749][ T917] usb 1-1: config 6 interface 73 altsetting 1 has a duplicate endpoint with address 0xE, skipping [ 38.769587][ T917] usb 1-1: config 6 interface 73 altsetting 1 has an invalid endpoint with address 0x80, skipping [ 38.780738][ T917] usb 1-1: config 6 interface 73 altsetting 1 endpoint 0x4 has invalid maxpacket 1023, setting to 64 [ 38.791657][ T917] usb 1-1: config 6 interface 73 altsetting 1 has a duplicate endpoint with address 0x6, skipping [ 38.802279][ T917] usb 1-1: config 6 interface 66 altsetting 32 has a duplicate endpoint with address 0xA, skipping [ 38.812974][ T917] usb 1-1: config 6 interface 66 altsetting 32 has a duplicate endpoint with address 0xB, skipping [ 38.823887][ T917] usb 1-1: config 6 interface 66 altsetting 32 endpoint 0x7 has invalid maxpacket 1024, setting to 64 [ 38.835353][ T917] usb 1-1: config 6 interface 66 altsetting 32 has an invalid endpoint with address 0x0, skipping [ 38.846154][ T917] usb 1-1: config 6 interface 66 altsetting 32 endpoint 0x5 has invalid maxpacket 512, setting to 64 [ 38.857140][ T917] usb 1-1: config 6 interface 66 altsetting 32 endpoint 0x8 has invalid maxpacket 512, setting to 64 [ 38.868054][ T917] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0x7, skipping [ 38.878797][ T917] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0xE, skipping [ 38.889695][ T917] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0x7, skipping [ 38.900405][ T917] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0x2, skipping [ 38.911111][ T917] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0xA, skipping ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 [ 38.921810][ T917] usb 1-1: config 6 interface 196 altsetting 4 has a duplicate endpoint with address 0x5, skipping [ 38.932512][ T917] usb 1-1: config 6 interface 155 has no altsetting 0 [ 38.939324][ T917] usb 1-1: config 6 interface 73 has no altsetting 0 [ 38.946104][ T917] usb 1-1: config 6 interface 66 has no altsetting 0 [ 38.952812][ T917] usb 1-1: config 6 interface 196 has no altsetting 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffea2d38e60) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffea2d39e70) = 0 ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0xfa) = 0 ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f6bf0c9d3ac) = 0 ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffea2d38e60) = 0 [ 39.222312][ T917] usb 1-1: string descriptor 0 read error: -22 [ 39.229093][ T917] usb 1-1: New USB device found, idVendor=0cf3, idProduct=0003, bcdDevice=95.a4 [ 39.238198][ T917] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 39.284598][ T917] ------------[ cut here ]------------ [ 39.290411][ T917] usb 1-1: BOGUS urb xfer, pipe 3 != type 1 [ 39.296766][ T917] WARNING: CPU: 0 PID: 917 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 [ 39.306251][ T917] Modules linked in: [ 39.310124][ T917] CPU: 0 PID: 917 Comm: kworker/0:2 Not tainted 5.19.0-rc8-syzkaller-00025-g6e7765cb477a #0 [ 39.320254][ T917] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 39.330398][ T917] Workqueue: usb_hub_wq hub_event [ 39.335473][ T917] RIP: 0010:usb_submit_urb+0xed2/0x18a0 [ 39.341025][ T917] Code: 7c 24 18 e8 70 b3 ee fb 48 8b 7c 24 18 e8 06 d6 03 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 40 08 6f 8a e8 2d c8 a6 03 <0f> 0b e9 58 f8 ff ff e8 42 b3 ee fb 48 81 c5 c0 05 00 00 e9 84 f7 [ 39.360819][ T917] RSP: 0018:ffffc9000453ef48 EFLAGS: 00010286 [ 39.367114][ T917] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 39.375145][ T917] RDX: ffff88801dfdd880 RSI: ffffffff8160d118 RDI: fffff520008a7ddb [ 39.383161][ T917] RBP: ffff88807d03d000 R08: 0000000000000005 R09: 0000000000000000 [ 39.391120][ T917] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000003 [ 39.399110][ T917] R13: ffff8880205d6d98 R14: 0000000000000003 R15: ffff8880169ed500 [ 39.407098][ T917] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 39.416055][ T917] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 39.422664][ T917] CR2: 000055a3de900c80 CR3: 0000000024f4a000 CR4: 0000000000350ef0 [ 39.430619][ T917] Call Trace: exit_group(0) = ? [ 39.433926][ T917] [ 39.436862][ T917] ar5523_submit_rx_cmd+0x1f1/0x320 [ 39.442099][ T917] ar5523_probe+0xc06/0x1da0 [ 39.446703][ T917] ? ar5523_data_tx_cb+0x450/0x450 [ 39.451855][ T917] ? mark_held_locks+0x9f/0xe0 [ 39.456626][ T917] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 39.462478][ T917] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 39.468296][ T917] ? lockdep_hardirqs_on+0x79/0x100 [ 39.473531][ T917] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 39.479338][ T917] ? __pm_runtime_set_status+0x4b8/0xc80 +++ exited with 0 +++ [