Extracting prog: 6m7.389670037s
Minimizing prog: 15m3.353391382s
Simplifying prog options: 0s
Extracting C: 35.365255643s
Simplifying C: 9m14.335116845s


extracting reproducer from 30 programs
testing a last program of every proc
single: executing 5 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): fsopen-fsconfig$FSCONFIG_CMD_CREATE-fsmount-socket$nl_route-getsockopt-socket$inet6_udplite-sendmsg$inet6-sendmsg$inet6-fchdir-syz_emit_vhci-openat$misdntimer-ioctl$IMADDTIMER-ioctl$IMADDTIMER-ioctl$IMDELTIMER-mmap-close
detailed listing:
executing program 0:
r0 = fsopen(&(0x7f0000000180)='proc\x00', 0x1)
fsconfig$FSCONFIG_CMD_CREATE(r0, 0x6, 0x0, 0x0, 0x0)
r1 = fsmount(r0, 0x0, 0x1)
r2 = socket$nl_route(0x10, 0x3, 0x0)
getsockopt(r2, 0x1, 0xf, &(0x7f0000000700)=""/161, &(0x7f0000000080)=0xa1)
r3 = socket$inet6_udplite(0xa, 0x2, 0x88)
sendmsg$inet6(r3, &(0x7f0000002280)={&(0x7f0000001e40)={0xa, 0x4e24, 0x0, @mcast1}, 0x1c, 0x0, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="b005000000000000290000003600"], 0x5b0}, 0x20008001)
sendmsg$inet6(r3, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000180)=[{&(0x7f00000022c0)="f14889c2ad234ad6f0a71da72859c7c1e176134eff431253493482c723f8633d838bf127adff9f48a8854702b889321dfefd5644a03e0e41fb1cd1e442ac39d59aa0370071b34de016c447989af4c7d374e269dcbc1ce5f7083363d5bb2641018094b1721358f7a6c82f35dd9e", 0x6d}], 0x1}, 0x20000044)
fchdir(r1)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="042f01007a74a9fe07f2e55918b1d9319436b44b0a9fff47d042789a52ffa88152da488ca6d4afb02dcb43af4b34d923f8703c293cfed44237a4c2d97f0b44e02b25a5a80941d8f8"], 0x4)
r4 = openat$misdntimer(0xffffffffffffff9c, &(0x7f0000001440), 0x0, 0x0)
ioctl$IMADDTIMER(r4, 0x80044940, &(0x7f0000000240)=0x14)
ioctl$IMADDTIMER(r4, 0x80044940, &(0x7f00000000c0)=0x32)
ioctl$IMDELTIMER(r4, 0x80044941, &(0x7f0000000140)=0x2)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x51857000)
close(r4)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$sndseq-prlimit64-sched_setscheduler-getpid-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-setsockopt$inet_tcp_int-recvmmsg-sched_setscheduler-openat$sw_sync-openat$sw_sync-ioctl$SW_SYNC_IOC_CREATE_FENCE-ioctl$SW_SYNC_IOC_CREATE_FENCE-ioctl$SYNC_IOC_MERGE-ioctl$SYNC_IOC_FILE_INFO-syz_genetlink_get_family_id$nl80211-sendmsg$nl_route-socket$nl_generic-ioctl$sock_SIOCGIFINDEX_80211-sendmsg$NL80211_CMD_JOIN_MESH-socket$inet_mptcp
detailed listing:
executing program 0:
openat$sndseq(0xffffffffffffff9c, &(0x7f0000000040), 0x48100)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x102}, 0x0)
sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000340)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs={0x0, 0x0, 0xfffffffe}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
setsockopt$inet_tcp_int(0xffffffffffffffff, 0x6, 0x17, 0x0, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000000)=0x6)
r3 = openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
r4 = openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000ac0), 0x0, 0x0)
ioctl$SW_SYNC_IOC_CREATE_FENCE(r4, 0xc0285700, &(0x7f0000000040)={0x4, "abacd211119ca94c63377526aeb5ab2c7b9ca5fa07558139ede6dc06270ee042", <r5=>0xffffffffffffffff})
ioctl$SW_SYNC_IOC_CREATE_FENCE(r3, 0xc0285700, &(0x7f0000000100)={0x8, "b546baa5cc590d3033de259c2996817bb959ebab028deda501009bdeffafde25", <r6=>0xffffffffffffffff})
ioctl$SYNC_IOC_MERGE(r5, 0xc0303e03, &(0x7f00000001c0)={"0080bced01eb0100000000000000000700000000000000c900", r6, <r7=>0xffffffffffffffff})
ioctl$SYNC_IOC_FILE_INFO(r7, 0xc0383e04, &(0x7f00000000c0)={""/32, 0x0, 0x0, 0x0, 0x0, 0x0})
syz_genetlink_get_family_id$nl80211(&(0x7f0000000580), 0xffffffffffffffff)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="6000000010000103ffeb00", @ANYBLOB="0000000000000000400012800e00010069703665727370616e0000002c0002801400050000000000000000000000000000000001"], 0x60}}, 0x0)
r8 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r8, 0x8933, &(0x7f0000000300)={'wlan0\x00'})
sendmsg$NL80211_CMD_JOIN_MESH(r8, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000080)=ANY=[], 0x4c}}, 0x0)
socket$inet_mptcp(0x2, 0x1, 0x106)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): bind$rxrpc-socket-listen-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-prctl$PR_SCHED_CORE-sendmsg-sched_setattr-syz_emit_ethernet-socket$inet_mptcp-bind$inet-memfd_create-fallocate-fallocate-close-bind$inet6-listen-openat$proc_mixer-openat$uhid-write$proc_mixer-add_key$keyring-socket$inet_sctp-getsockopt$IP_VS_SO_GET_TIMEOUT-add_key-syz_io_uring_setup-socket$nl_netfilter-sendmsg$NFT_BATCH-sendmsg$TIPC_CMD_DISABLE_BEARER
detailed listing:
executing program 0:
bind$rxrpc(0xffffffffffffffff, 0x0, 0x0)
r0 = socket(0x10, 0x803, 0x0)
listen(0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e)
sendmmsg$unix(r2, &(0x7f00000bd000), 0x318, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0)
sendmsg(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000200)}, 0x0)
sched_setattr(0x0, &(0x7f0000000100)={0x38, 0x5, 0x0, 0x0, 0x0, 0x906, 0x9, 0x8, 0x0, 0x3}, 0x0)
syz_emit_ethernet(0x22, 0x0, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r3, 0x0, 0x0)
r4 = memfd_create(&(0x7f0000000780)='/dev/loop#\x00\xee\b\xce\xde\xe9\x8d\xd3\xd4\xe2\xfd\x7f\xf5R%\xe8]l\xa1s\b\xa5\xd2\xd59\xe8\xda\b\xd6\xb2\x15\xf6F\xb8\xb4{r.\xd2\xea\xec\xdbXe&J \xe9\x16\x82\xe8=\x83\x88sN\x83N`\xf9\xec\xe1\xbb\x05vH\xdd\x01?k\x97\xa5\xbf\x89#=2G<r\xf8\xd56\xaf~Nh%\x14\xf4\x14\xa3\x88i*rR\x17\x1ay\xc4x\x82u\xa3c\x9ez7\x88\x15\xdbz\xd1&\xd1\xca\xcb\xc5C\xa6,\xc7~\x86\xee=\xae}\xeb\xe8N\x11\xef\xb2\xceP\xff\xed\xee\xd7x6}-y #\x17\x8d[~\xe2\xab\xe6\xe3\x17\xd2/&\xfb\x13\xf3\xd9\xf4O\xf2\xdb\x9b\x03)\xae\xde\xef\x06\x03W\xb5;\xa6\xb4\'\'\x17\t\x00\x00\xaa\xe8\x81\xc0\x85\xd2\xfe\xcf\x9bn\xee*\x15\x97#\'\xc4\x06h\x1f@\a\n=7\xeb2\xaa\x0e\xee\x03\xd1\xd4\xc2yT\x8a0\x06=\xe7R\x85\x02\xf3\x15\x99z0]\xc4\x04\xb0\xea^\xd9\x1e\xbf\xb6\xe9\x8a\xfe\xd9G\x82\x93\xbf,J}\xed\x06\x18\x86WQn`\xf1\x9b\xb5\x96\xfe\xcf\xeb\x9f\x878me\x02\x90\xa2\x13O\x9a\xd6\xd0\x12\xf2$7\xb4\x8f\xfaal\xb8\xaaV>\xb16\xfb*\xf5\xd5\\\xa7\xebe\xbe\x9d\xd7\xf5\xb9<\xb2\xc4\xf9:\xef\xc0g\xc3\xa6\x7f\xc0\xcck.5=\xcc\x10Y\xad^*;MVh\xd9\xcf )\x0e%\x84\x95bXy\x81;o\xc9\x94\xc5M\xaf\xdbr\xec\xf6', 0x6)
fallocate(r4, 0x0, 0x0, 0x200401)
fallocate(r4, 0x0, 0x0, 0x200401)
close(r3)
bind$inet6(0xffffffffffffffff, 0x0, 0x0)
listen(0xffffffffffffffff, 0x400005)
r5 = openat$proc_mixer(0xffffffffffffff9c, &(0x7f0000000000)='/proc/asound/card0/oss_mixer\x00', 0x2002, 0x0)
openat$uhid(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
write$proc_mixer(r5, &(0x7f0000000200)=ANY=[@ANYBLOB='?HO'], 0x4f)
r6 = add_key$keyring(&(0x7f0000000240), &(0x7f00000001c0)={'syz', 0x2}, 0x0, 0x0, 0xffffffffffffffff)
r7 = socket$inet_sctp(0x2, 0x1, 0x84)
getsockopt$IP_VS_SO_GET_TIMEOUT(r7, 0x0, 0x486, &(0x7f0000000080), &(0x7f00000000c0)=0xc)
add_key(&(0x7f0000000440)='asymmetric\x00', 0x0, &(0x7f0000000000)="3080", 0x2, r6)
syz_io_uring_setup(0x410d, &(0x7f0000001380)={0x0, 0x0, 0x8e24f99225ab2de4, 0x1, 0x222, 0x0, r2}, &(0x7f0000000240), 0x0)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r8, &(0x7f00000000c0)={0x0, 0x0, 0x0}, 0x0)
sendmsg$TIPC_CMD_DISABLE_BEARER(r0, &(0x7f0000000400)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x100000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x4000095}, 0x24000054)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): prlimit64-sched_setscheduler-getpid-sched_setscheduler-mmap-socketpair$unix-connect$unix-sendmmsg$unix-recvmmsg-socket$nl_generic-syz_genetlink_get_family_id$tipc-sendmsg$TIPC_CMD_SHOW_PORTS
detailed listing:
executing program 0:
prlimit64(0x0, 0xe, 0x0, 0x0)
sched_setscheduler(0x0, 0x2, &(0x7f0000000080)=0x8)
r0 = getpid()
sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
connect$unix(r1, &(0x7f0000000300)=@abs={0x0, 0x0, 0xb}, 0x6e)
sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0)
recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$tipc(&(0x7f0000000080), r3)
sendmsg$TIPC_CMD_SHOW_PORTS(r3, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000001680)={&(0x7f0000001640)={0x1c, r4, 0x1}, 0x1c}, 0x1, 0x0, 0x0, 0x10}, 0x0)

program did not crash
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io-syz_usb_ep_write
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io(r1, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0)
syz_usb_ep_write(r0, 0x81, 0x2, &(0x7f0000000040)='Pb')

program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
single: successfully extracted reproducer
found reproducer with 6 syscalls
minimizing guilty program
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)
syz_usb_control_io(r1, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r1, 0x0, 0x0)

program did not crash
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
r1 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r1, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_disconnect-syz_usb_control_io-syz_usb_control_io
detailed listing:
executing program 0:
r0 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
syz_usb_disconnect(r0)
syz_usb_control_io(0xffffffffffffffff, 0x0, 0x0)
syz_usb_control_io(0xffffffffffffffff, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect$hid-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
detailed listing:
executing program 0:
syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000040260933334000000000010902240001000000000904000001030100000921000000012201000905810308"], 0x0)
r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
detailed listing:
executing program 0:
syz_usb_disconnect(0xffffffffffffffff)
r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0)

program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
detailed listing:
executing program 0:
syz_usb_disconnect(0xffffffffffffffff)
r0 = syz_usb_connect$hid(0x3, 0x0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB="000008000000080482"], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
detailed listing:
executing program 0:
syz_usb_disconnect(0xffffffffffffffff)
r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)

program did not crash
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
detailed listing:
executing program 0:
syz_usb_disconnect(0xffffffffffffffff)
r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
testing program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
detailed listing:
executing program 0:
syz_usb_disconnect(0xffffffffffffffff)
r0 = syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x4d8, 0xdd, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x5}}, {{{0x9, 0x5, 0x81, 0x3, 0x200, 0x0, 0x0, 0x7}}}}}]}}]}}, 0x0)
syz_usb_control_io(r0, 0x0, 0x0)
syz_usb_control_io(r0, &(0x7f00000003c0)={0x2c, &(0x7f0000000100)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0, 0x0}, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=46.222899564s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
simplifying C reproducer
testing compiled C program (duration=46.222899564s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=46.222899564s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=46.222899564s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=46.222899564s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=46.222899564s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=46.222899564s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
testing compiled C program (duration=46.222899564s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_disconnect-syz_usb_connect$hid-syz_usb_control_io-syz_usb_control_io
program crashed: BUG: unable to handle kernel paging request in mcp_smbus_xfer
reproducing took 31m0.443463507s
repro crashed as (corrupted=false):
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
mcp2221 0003:04D8:00DD.0001: USB HID v0.05 Device [HID 04d8:00dd] on usb-dummy_hcd.0-1/input0
Unable to handle kernel paging request at virtual address dfff800000000000
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mcp_smbus_xfer+0x64/0xdc8 drivers/hid/hid-mcp2221.c:418
lr : mcp_smbus_xfer+0x44/0xdc8 drivers/hid/hid-mcp2221.c:414
sp : ffff80001b306140
x29: ffff80001b306140 x28: 0000000000000000 x27: dfff800000000000
x26: 00000000ffff9c0b x25: 1fffe00018390036 x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000018
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000
x17: ffff800016cf0000 x16: ffff8000111a97c4 x15: ffff8000167d04c0
x14: ffff0000c0958a00 x13: dfff800000000000 x12: 0000000000ff0100
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff80000ed6395c
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000018 x0 : ffff0000c1c80088
Call trace:
 mcp_smbus_xfer+0x64/0xdc8 drivers/hid/hid-mcp2221.c:418
 __i2c_smbus_xfer+0x558/0x1fbc drivers/i2c/i2c-core-smbus.c:590
 i2c_smbus_xfer+0x1f0/0x314 drivers/i2c/i2c-core-smbus.c:545
 i2c_default_probe+0x1bc/0x240 drivers/i2c/i2c-core-base.c:-1
 i2c_detect_address drivers/i2c/i2c-core-base.c:2466 [inline]
 i2c_detect drivers/i2c/i2c-core-base.c:2541 [inline]
 i2c_do_add_adapter+0x388/0x7a0 drivers/i2c/i2c-core-base.c:1422
 __process_new_adapter+0x28/0x3c drivers/i2c/i2c-core-base.c:1429
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 i2c_register_adapter+0xd80/0x103c drivers/i2c/i2c-core-base.c:1594
 i2c_add_adapter+0x16c/0x248 drivers/i2c/i2c-core-base.c:-1
 mcp2221_probe+0x254/0x5a8 drivers/hid/hid-mcp2221.c:882
 hid_device_probe+0x230/0x338 drivers/hid/hid-core.c:2309
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x180/0x314 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x274/0x4c4 drivers/base/dd.c:907
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 __device_attach+0x2a8/0x3d4 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf94 drivers/base/core.c:3412
 hid_add_device+0x310/0x4d4 drivers/hid/hid-core.c:2461
 usbhid_probe+0x858/0xba4 drivers/hid/usbhid/hid-core.c:1424
 usb_probe_interface+0x4fc/0x994 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x180/0x314 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x274/0x4c4 drivers/base/dd.c:907
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 __device_attach+0x2a8/0x3d4 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf94 drivers/base/core.c:3412
 usb_set_configuration+0x15b8/0x1b2c drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x144 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x180/0x314 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x274/0x4c4 drivers/base/dd.c:907
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 __device_attach+0x2a8/0x3d4 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf94 drivers/base/core.c:3412
 usb_new_device+0x7ec/0x1164 drivers/usb/core/hub.c:2604
 hub_port_connect drivers/usb/core/hub.c:5467 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5607 [inline]
 port_event drivers/usb/core/hub.c:5753 [inline]
 hub_event+0x20cc/0x4188 drivers/usb/core/hub.c:5835
 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310
 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457
 kthread+0x374/0x454 kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: aa1303e0 966ba2e0 f9400273 d343fe7c (387b6b88) 
---[ end trace 5f81facddaf0ce63 ]---
----------------
Code disassembly (best guess):
   0:	aa1303e0 	mov	x0, x19
   4:	966ba2e0 	bl	0xfffffffff9ae8b84
   8:	f9400273 	ldr	x19, [x19]
   c:	d343fe7c 	lsr	x28, x19, #3
* 10:	387b6b88 	ldrb	w8, [x28, x27] <-- trapping instruction

final repro crashed as (corrupted=false):
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
mcp2221 0003:04D8:00DD.0001: USB HID v0.05 Device [HID 04d8:00dd] on usb-dummy_hcd.0-1/input0
Unable to handle kernel paging request at virtual address dfff800000000000
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mcp_smbus_xfer+0x64/0xdc8 drivers/hid/hid-mcp2221.c:418
lr : mcp_smbus_xfer+0x44/0xdc8 drivers/hid/hid-mcp2221.c:414
sp : ffff80001b306140
x29: ffff80001b306140 x28: 0000000000000000 x27: dfff800000000000
x26: 00000000ffff9c0b x25: 1fffe00018390036 x24: 0000000000000000
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000018
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000
x17: ffff800016cf0000 x16: ffff8000111a97c4 x15: ffff8000167d04c0
x14: ffff0000c0958a00 x13: dfff800000000000 x12: 0000000000ff0100
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff80000ed6395c
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000018 x0 : ffff0000c1c80088
Call trace:
 mcp_smbus_xfer+0x64/0xdc8 drivers/hid/hid-mcp2221.c:418
 __i2c_smbus_xfer+0x558/0x1fbc drivers/i2c/i2c-core-smbus.c:590
 i2c_smbus_xfer+0x1f0/0x314 drivers/i2c/i2c-core-smbus.c:545
 i2c_default_probe+0x1bc/0x240 drivers/i2c/i2c-core-base.c:-1
 i2c_detect_address drivers/i2c/i2c-core-base.c:2466 [inline]
 i2c_detect drivers/i2c/i2c-core-base.c:2541 [inline]
 i2c_do_add_adapter+0x388/0x7a0 drivers/i2c/i2c-core-base.c:1422
 __process_new_adapter+0x28/0x3c drivers/i2c/i2c-core-base.c:1429
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 i2c_register_adapter+0xd80/0x103c drivers/i2c/i2c-core-base.c:1594
 i2c_add_adapter+0x16c/0x248 drivers/i2c/i2c-core-base.c:-1
 mcp2221_probe+0x254/0x5a8 drivers/hid/hid-mcp2221.c:882
 hid_device_probe+0x230/0x338 drivers/hid/hid-core.c:2309
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x180/0x314 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x274/0x4c4 drivers/base/dd.c:907
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 __device_attach+0x2a8/0x3d4 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf94 drivers/base/core.c:3412
 hid_add_device+0x310/0x4d4 drivers/hid/hid-core.c:2461
 usbhid_probe+0x858/0xba4 drivers/hid/usbhid/hid-core.c:1424
 usb_probe_interface+0x4fc/0x994 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x180/0x314 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x274/0x4c4 drivers/base/dd.c:907
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 __device_attach+0x2a8/0x3d4 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf94 drivers/base/core.c:3412
 usb_set_configuration+0x15b8/0x1b2c drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x144 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26c/0xaec drivers/base/dd.c:595
 __driver_probe_device+0x180/0x314 drivers/base/dd.c:755
 driver_probe_device+0x78/0x34c drivers/base/dd.c:785
 __device_attach_driver+0x274/0x4c4 drivers/base/dd.c:907
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 __device_attach+0x2a8/0x3d4 drivers/base/dd.c:979
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1028
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf94 drivers/base/core.c:3412
 usb_new_device+0x7ec/0x1164 drivers/usb/core/hub.c:2604
 hub_port_connect drivers/usb/core/hub.c:5467 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5607 [inline]
 port_event drivers/usb/core/hub.c:5753 [inline]
 hub_event+0x20cc/0x4188 drivers/usb/core/hub.c:5835
 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310
 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457
 kthread+0x374/0x454 kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: aa1303e0 966ba2e0 f9400273 d343fe7c (387b6b88) 
---[ end trace 5f81facddaf0ce63 ]---
----------------
Code disassembly (best guess):
   0:	aa1303e0 	mov	x0, x19
   4:	966ba2e0 	bl	0xfffffffff9ae8b84
   8:	f9400273 	ldr	x19, [x19]
   c:	d343fe7c 	lsr	x28, x19, #3
* 10:	387b6b88 	ldrb	w8, [x28, x27] <-- trapping instruction