./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2215449405 <...> DUID 00:04:03:2c:e5:fc:a2:19:b8:8b:c5:bf:62:63:19:3a:75:c6 forked to background, child pid 3184 [ 23.154274][ T3185] 8021q: adding VLAN 0 to HW filter on device bond0 [ 23.165866][ T3185] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.42' (ECDSA) to the list of known hosts. execve("./syz-executor2215449405", ["./syz-executor2215449405"], 0x7fff9a3db520 /* 10 vars */) = 0 brk(NULL) = 0x555556af9000 brk(0x555556af9c40) = 0x555556af9c40 arch_prctl(ARCH_SET_FS, 0x555556af9300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2215449405", 4096) = 28 brk(0x555556b1ac40) = 0x555556b1ac40 brk(0x555556b1b000) = 0x555556b1b000 mprotect(0x7f62ea9e1000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR) = 3 ioctl(3, USB_RAW_IOCTL_INIT, 0x7ffed5237920) = 0 ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 18 syzkaller login: [ 39.356467][ T26] usb 1-1: new high-speed USB device number 2 using dummy_hcd ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 18 [ 39.596492][ T26] usb 1-1: Using ep0 maxpacket: 8 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 9 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 [ 39.757048][ T26] usb 1-1: unable to get BOS descriptor or descriptor too short ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 228 [ 39.836888][ T26] usb 1-1: config 0 has an invalid interface number: 85 but max is 1 [ 39.844995][ T26] usb 1-1: config 0 has an invalid interface number: 155 but max is 1 [ 39.853202][ T26] usb 1-1: config 0 has no interface number 0 [ 39.859303][ T26] usb 1-1: config 0 has no interface number 1 [ 39.865374][ T26] usb 1-1: config 0 interface 85 altsetting 0 has an invalid endpoint with address 0x0, skipping [ 39.875939][ T26] usb 1-1: config 0 interface 85 altsetting 0 has an invalid endpoint with address 0x0, skipping [ 39.886499][ T26] usb 1-1: config 0 interface 85 altsetting 0 has an invalid endpoint with address 0x0, skipping [ 39.897027][ T26] usb 1-1: config 0 interface 85 altsetting 0 has an invalid endpoint with address 0x0, skipping [ 39.907594][ T26] usb 1-1: config 0 interface 85 altsetting 0 bulk endpoint 0x5 has invalid maxpacket 1024 [ 39.917594][ T26] usb 1-1: config 0 interface 85 altsetting 0 endpoint 0xC has invalid wMaxPacketSize 0 [ 39.927339][ T26] usb 1-1: config 0 interface 155 altsetting 0 has an invalid endpoint with address 0x0, skipping [ 39.937955][ T26] usb 1-1: config 0 interface 155 altsetting 0 has an invalid endpoint with address 0x0, skipping [ 39.948687][ T26] usb 1-1: config 0 interface 155 altsetting 0 endpoint 0xD has invalid wMaxPacketSize 0 [ 39.958550][ T26] usb 1-1: config 0 interface 155 altsetting 0 has an invalid endpoint with address 0x0, skipping [ 39.969176][ T26] usb 1-1: config 0 interface 155 altsetting 0 has an invalid endpoint with address 0x0, skipping ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 [ 39.979821][ T26] usb 1-1: config 0 interface 155 altsetting 0 endpoint 0xB has invalid wMaxPacketSize 0 [ 39.989656][ T26] usb 1-1: config 0 interface 155 altsetting 0 endpoint 0x2 has an invalid bInterval 0, changing to 7 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7ffed5236910) = 0 ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7ffed5237920) = 0 ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0) = 0 ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f62ea9e73ac) = -1 EINVAL (Invalid argument) ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7ffed5236910) = 0 [ 40.236967][ T26] usb 1-1: string descriptor 0 read error: -22 [ 40.243198][ T26] usb 1-1: New USB device found, idVendor=077d, idProduct=627a, bcdDevice= 0.01 [ 40.252261][ T26] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 40.261075][ T26] usb 1-1: config 0 descriptor?? [ 40.299021][ T26] ------------[ cut here ]------------ [ 40.304506][ T26] usb 1-1: BOGUS urb xfer, pipe 1 != type 3 [ 40.311021][ T26] WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x1880 [ 40.320437][ T26] Modules linked in: [ 40.324323][ T26] CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.0.0-rc3-next-20220901-syzkaller #0 [ 40.333731][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 40.343835][ T26] Workqueue: usb_hub_wq hub_event [ 40.348899][ T26] RIP: 0010:usb_submit_urb+0xed2/0x1880 [ 40.354459][ T26] Code: 7c 24 18 e8 b0 43 e9 fb 48 8b 7c 24 18 e8 a6 2e 03 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 40 70 90 8a e8 12 8c aa 03 <0f> 0b e9 58 f8 ff ff e8 82 43 e9 fb 48 81 c5 c0 05 00 00 e9 84 f7 [ 40.374151][ T26] RSP: 0018:ffffc90000a1edc0 EFLAGS: 00010286 [ 40.380252][ T26] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 40.388237][ T26] RDX: ffff888012693a80 RSI: ffffffff81620448 RDI: fffff52000143daa [ 40.396245][ T26] RBP: ffff888024077800 R08: 0000000000000005 R09: 0000000000000000 [ 40.404277][ T26] R10: 0000000080000000 R11: 3a312d3120627375 R12: 0000000000000001 [ 40.412270][ T26] R13: ffff88802676fdc0 R14: 0000000000000002 R15: ffff888016e51400 [ 40.420426][ T26] FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 [ 40.429393][ T26] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 40.435980][ T26] CR2: 00007ffda5c47148 CR3: 000000000bc8e000 CR4: 00000000003506e0 [ 40.444011][ T26] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 40.452019][ T26] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 40.460017][ T26] Call Trace: [ 40.463292][ T26] [ 40.466235][ T26] ? __init_swait_queue_head+0xc6/0x150 [ 40.471838][ T26] usb_start_wait_urb+0x101/0x4b0 [ 40.476915][ T26] ? usb_api_blocking_completion+0xa0/0xa0 [ 40.482723][ T26] ? __kasan_kmalloc+0xa9/0xd0 [ 40.487510][ T26] ? memset+0x20/0x40 [ 40.491496][ T26] usb_bulk_msg+0x226/0x550 exit_group(0) = ? +++ exited with 0 +++ [ 40.495991][ T26] shark_write_val+0x222/