cm109 1-1:0.8: cm109_urb_irq_callback: urb status -71
------------[ cut here ]------------
URB ffff888056ace200 submitted while active
WARNING: drivers/usb/core/urb.c:379 at usb_submit_urb+0xfc1/0x1830 drivers/usb/core/urb.c:379, CPU#0: syz.0.11496/13064
Modules linked in:
CPU: 0 UID: 0 PID: 13064 Comm: syz.0.11496 Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:usb_submit_urb+0xfc1/0x1830 drivers/usb/core/urb.c:379
Code: 44 89 f2 e8 c1 a9 f7 f9 e9 13 fc ff ff e8 07 c5 8a fa c6 05 59 9f 99 08 01 90 48 c7 c7 40 b1 56 8c 48 89 de e8 20 69 4e fa 90 <0f> 0b 90 90 e9 b7 f0 ff ff e8 e1 c4 8a fa eb 11 e8 da c4 8a fa bd
RSP: 0018:ffffc90000007868 EFLAGS: 00010046
RAX: 22a1920fb5267800 RBX: ffff888056ace200 RCX: 0000000000040000
RDX: ffffc900021a1000 RSI: 0000000000004489 RDI: 000000000000448a
RBP: 000000000000000f R08: ffff8880b8624253 R09: 1ffff110170c484a
R10: dffffc0000000000 R11: ffffed10170c484b R12: dffffc0000000000
R13: ffff888028480830 R14: ffff888056ace208 R15: 0000000000000820
FS:  0000000000000000(0000) GS:ffff8881257d6000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5cf2d909c0 CR3: 000000006b790000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 000000000000e58e DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 cm109_submit_ctl drivers/input/misc/cm109.c:380 [inline]
 cm109_urb_irq_callback+0x709/0xca0 drivers/input/misc/cm109.c:431
 __usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1661
 dummy_timer+0x862/0x4550 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:slab_update_freelist mm/slub.c:775 [inline]
RIP: 0010:__slab_free+0x251/0x3c0 mm/slub.c:4532
Code: ea 48 8b 4c 24 10 4d 89 f8 e8 1b e1 ff ff 41 89 c7 e9 44 fe ff ff 48 8b 5c 24 10 4c 89 f9 4c 89 e0 4c 89 ea f0 48 0f c7 4e 20 <0f> 85 95 fe ff ff 48 85 ed 75 2c 45 85 ed 79 57 65 48 8b 05 07 74
RSP: 0018:ffffc90003be78c0 EFLAGS: 00000242
RAX: ffff88805bada000 RBX: ffff88805badc000 RCX: 0000000000040001
RDX: 0000000000040002 RSI: ffffea00016eb600 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1fc9b67 R12: ffff88805bada000
R13: 0000000000040002 R14: ffff88801a842140 R15: 0000000000040001
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:349
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 __kmalloc_cache_noprof+0x1be/0x3d0 mm/slub.c:4391
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1043 [inline]
 kobject_uevent_env+0x27c/0x8c0 lib/kobject_uevent.c:540
 device_remove drivers/base/dd.c:569 [inline]
 __device_release_driver drivers/base/dd.c:1274 [inline]
 device_release_driver_internal+0x46f/0x800 drivers/base/dd.c:1297
 driver_detach+0x1f3/0x2d0 drivers/base/dd.c:1360
 bus_remove_driver+0x226/0x2f0 drivers/base/bus.c:747
 usb_gadget_unregister_driver+0x4e/0x70 drivers/usb/gadget/udc/core.c:1732
 raw_release+0xd7/0x260 drivers/usb/gadget/legacy/raw_gadget.c:462
 __fput+0x449/0xa70 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdc7ef8ebe9
Code: Unable to access opcode bytes at 0x7fdc7ef8ebbf.
RSP: 002b:00007ffd5081a038 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fdc7ef8ebe9
RDX: 00007fdc7ef461f7 RSI: 0000000000000000 RDI: 000000000000000b
RBP: 0000000000000003 R08: 00007ffd5081a4d7 R09: 000000000000000b
R10: 00007fdc7f1b5fa0 R11: 0000000000000246 R12: 00007fdc7f1b627c
R13: 00007fdc7f1b6270 R14: 0000000000001d5f R15: 0000000000000003
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	48 8b 4c 24 10       	mov    0x10(%rsp),%rcx
   5:	4d 89 f8             	mov    %r15,%r8
   8:	e8 1b e1 ff ff       	call   0xffffe128
   d:	41 89 c7             	mov    %eax,%r15d
  10:	e9 44 fe ff ff       	jmp    0xfffffe59
  15:	48 8b 5c 24 10       	mov    0x10(%rsp),%rbx
  1a:	4c 89 f9             	mov    %r15,%rcx
  1d:	4c 89 e0             	mov    %r12,%rax
  20:	4c 89 ea             	mov    %r13,%rdx
  23:	f0 48 0f c7 4e 20    	lock cmpxchg16b 0x20(%rsi)
* 29:	0f 85 95 fe ff ff    	jne    0xfffffec4 <-- trapping instruction
  2f:	48 85 ed             	test   %rbp,%rbp
  32:	75 2c                	jne    0x60
  34:	45 85 ed             	test   %r13d,%r13d
  37:	79 57                	jns    0x90
  39:	65                   	gs
  3a:	48                   	rex.W
  3b:	8b                   	.byte 0x8b
  3c:	05                   	.byte 0x5
  3d:	07                   	(bad)
  3e:	74                   	.byte 0x74