I don't think it is fixed yet.. This is https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28571#c4

Bash Reproducer:
./qemu-system-i386 -display none -machine accel=qtest, -m 512M \
-machine q35 -nodefaults -drive \
file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci \
-device usb-tablet,bus=xhci.0 -device usb-bot -device \
usb-storage,drive=disk0 -chardev null,id=cd0 -chardev null,id=cd1 \
-device usb-braille,chardev=cd0 -device usb-ccid -device usb-ccid \
-device usb-kbd -device usb-mouse -device usb-serial,chardev=cd1 -device\
 usb-tablet -device usb-wacom-tablet -device usb-audio -qtest /dev/null \
-qtest stdio < attachment

Testcase:
/*
 * Autogenerated Fuzzer Test Case
 *
 * Copyright (c) 2021 <name of author>
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */

#include "qemu/osdep.h"

#include "libqos/libqtest.h"

static void test_fuzz(void)
{
    QTestState *s = qtest_init(
        "-display none , -m 512M -machine q35 -nodefaults -drive "
        "file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci -device "
        "usb-tablet,bus=xhci.0 -device usb-bot -device usb-storage,drive=disk0 -chardev "
        "null,id=cd0 -chardev null,id=cd1 -device usb-braille,chardev=cd0 -device "
        "usb-ccid -device usb-ccid -device usb-kbd -device usb-mouse -device "
        "usb-serial,chardev=cd1 -device usb-tablet -device usb-wacom-tablet -device "
        "usb-audio -qtest /dev/null");
    qtest_outl(s, 0xcf8, 0x80000816);
    qtest_outl(s, 0xcfc, 0xffff);
    qtest_outl(s, 0xcf8, 0x80000803);
    qtest_outl(s, 0xcfc, 0x0600);
    qtest_outl(s, 0xcf8, 0x80000810);
    qtest_outl(s, 0xcfc, 0x2e654000);
    qtest_writel(s, 0xffff00002e654040, 0xffffff05);
    qtest_bufwrite(s, 0x4d, "\x04", 0x1);
    qtest_bufwrite(s, 0x5d, "\x04", 0x1);
    qtest_bufwrite(s, 0x6d, "\x04", 0x1);
    qtest_bufwrite(s, 0x7d, "\x04", 0x1);
    qtest_bufwrite(s, 0x8d, "\x04", 0x1);
    qtest_bufwrite(s, 0x9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xad, "\x04", 0x1);
    qtest_bufwrite(s, 0xbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xed, "\x04", 0x1);
    qtest_bufwrite(s, 0xfd, "\x04", 0x1);
    qtest_bufwrite(s, 0x10d, "\x04", 0x1);
    qtest_bufwrite(s, 0x11d, "\x04", 0x1);
    qtest_bufwrite(s, 0x12d, "\x04", 0x1);
    qtest_bufwrite(s, 0x13d, "\x04", 0x1);
    qtest_bufwrite(s, 0x14d, "\x04", 0x1);
    qtest_bufwrite(s, 0x15d, "\x04", 0x1);
    qtest_bufwrite(s, 0x16d, "\x04", 0x1);
    qtest_bufwrite(s, 0x17d, "\x04", 0x1);
    qtest_bufwrite(s, 0x18d, "\x04", 0x1);
    qtest_bufwrite(s, 0x19d, "\x04", 0x1);
    qtest_bufwrite(s, 0x1ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x1bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x1fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x20d, "\x04", 0x1);
    qtest_bufwrite(s, 0x21d, "\x04", 0x1);
    qtest_bufwrite(s, 0x22d, "\x04", 0x1);
    qtest_bufwrite(s, 0x23d, "\x04", 0x1);
    qtest_bufwrite(s, 0x24d, "\x04", 0x1);
    qtest_bufwrite(s, 0x25d, "\x04", 0x1);
    qtest_bufwrite(s, 0x26d, "\x04", 0x1);
    qtest_bufwrite(s, 0x27d, "\x04", 0x1);
    qtest_bufwrite(s, 0x28d, "\x04", 0x1);
    qtest_bufwrite(s, 0x29d, "\x04", 0x1);
    qtest_bufwrite(s, 0x2ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x2bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x2cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x2dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x2ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x2fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x30d, "\x04", 0x1);
    qtest_bufwrite(s, 0x31d, "\x04", 0x1);
    qtest_bufwrite(s, 0x32d, "\x04", 0x1);
    qtest_bufwrite(s, 0x33d, "\x04", 0x1);
    qtest_bufwrite(s, 0x34d, "\x04", 0x1);
    qtest_bufwrite(s, 0x35d, "\x04", 0x1);
    qtest_bufwrite(s, 0x36d, "\x04", 0x1);
    qtest_bufwrite(s, 0x37d, "\x04", 0x1);
    qtest_bufwrite(s, 0x38d, "\x04", 0x1);
    qtest_bufwrite(s, 0x39d, "\x04", 0x1);
    qtest_bufwrite(s, 0x3ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x3bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x3cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x3dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x3ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x3fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x40d, "\x04", 0x1);
    qtest_bufwrite(s, 0x41d, "\x04", 0x1);
    qtest_bufwrite(s, 0x42d, "\x04", 0x1);
    qtest_bufwrite(s, 0x43d, "\x04", 0x1);
    qtest_bufwrite(s, 0x44d, "\x04", 0x1);
    qtest_bufwrite(s, 0x45d, "\x04", 0x1);
    qtest_bufwrite(s, 0x46d, "\x04", 0x1);
    qtest_bufwrite(s, 0x47d, "\x04", 0x1);
    qtest_bufwrite(s, 0x48d, "\x04", 0x1);
    qtest_bufwrite(s, 0x49d, "\x04", 0x1);
    qtest_bufwrite(s, 0x4ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x4bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x4cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x4dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x4ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x4fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x50d, "\x04", 0x1);
    qtest_bufwrite(s, 0x51d, "\x04", 0x1);
    qtest_bufwrite(s, 0x52d, "\x04", 0x1);
    qtest_bufwrite(s, 0x53d, "\x04", 0x1);
    qtest_bufwrite(s, 0x54d, "\x04", 0x1);
    qtest_bufwrite(s, 0x55d, "\x04", 0x1);
    qtest_bufwrite(s, 0x56d, "\x04", 0x1);
    qtest_bufwrite(s, 0x57d, "\x04", 0x1);
    qtest_bufwrite(s, 0x58d, "\x04", 0x1);
    qtest_bufwrite(s, 0x59d, "\x04", 0x1);
    qtest_bufwrite(s, 0x5ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x5bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x5cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x5dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x5ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x5fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x60d, "\x04", 0x1);
    qtest_bufwrite(s, 0x61d, "\x04", 0x1);
    qtest_bufwrite(s, 0x62d, "\x04", 0x1);
    qtest_bufwrite(s, 0x63d, "\x04", 0x1);
    qtest_bufwrite(s, 0x64d, "\x04", 0x1);
    qtest_bufwrite(s, 0x65d, "\x04", 0x1);
    qtest_bufwrite(s, 0x66d, "\x04", 0x1);
    qtest_bufwrite(s, 0x67d, "\x04", 0x1);
    qtest_bufwrite(s, 0x68d, "\x04", 0x1);
    qtest_bufwrite(s, 0x69d, "\x04", 0x1);
    qtest_bufwrite(s, 0x6ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x6bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x6cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x6dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x6ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x6fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x70d, "\x04", 0x1);
    qtest_bufwrite(s, 0x71d, "\x04", 0x1);
    qtest_bufwrite(s, 0x72d, "\x04", 0x1);
    qtest_bufwrite(s, 0x73d, "\x04", 0x1);
    qtest_bufwrite(s, 0x74d, "\x04", 0x1);
    qtest_bufwrite(s, 0x75d, "\x04", 0x1);
    qtest_bufwrite(s, 0x76d, "\x04", 0x1);
    qtest_bufwrite(s, 0x77d, "\x04", 0x1);
    qtest_bufwrite(s, 0x78d, "\x04", 0x1);
    qtest_bufwrite(s, 0x79d, "\x04", 0x1);
    qtest_bufwrite(s, 0x7ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x7bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x7cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x7dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x7ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x7fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x80d, "\x04", 0x1);
    qtest_bufwrite(s, 0x81d, "\x04", 0x1);
    qtest_bufwrite(s, 0x82d, "\x04", 0x1);
    qtest_bufwrite(s, 0x83d, "\x04", 0x1);
    qtest_bufwrite(s, 0x84d, "\x04", 0x1);
    qtest_bufwrite(s, 0x85d, "\x04", 0x1);
    qtest_bufwrite(s, 0x86d, "\x04", 0x1);
    qtest_bufwrite(s, 0x87d, "\x04", 0x1);
    qtest_bufwrite(s, 0x88d, "\x04", 0x1);
    qtest_bufwrite(s, 0x89d, "\x04", 0x1);
    qtest_bufwrite(s, 0x8ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x8bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x8cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x8dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x8ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x8fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x90d, "\x04", 0x1);
    qtest_bufwrite(s, 0x91d, "\x04", 0x1);
    qtest_bufwrite(s, 0x92d, "\x04", 0x1);
    qtest_bufwrite(s, 0x93d, "\x04", 0x1);
    qtest_bufwrite(s, 0x94d, "\x04", 0x1);
    qtest_bufwrite(s, 0x95d, "\x04", 0x1);
    qtest_bufwrite(s, 0x96d, "\x04", 0x1);
    qtest_bufwrite(s, 0x97d, "\x04", 0x1);
    qtest_bufwrite(s, 0x98d, "\x04", 0x1);
    qtest_bufwrite(s, 0x99d, "\x04", 0x1);
    qtest_bufwrite(s, 0x9ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x9bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x9cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x9dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x9ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x9fd, "\x04", 0x1);
    qtest_bufwrite(s, 0xa0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xaad, "\x04", 0x1);
    qtest_bufwrite(s, 0xabd, "\x04", 0x1);
    qtest_bufwrite(s, 0xacd, "\x04", 0x1);
    qtest_bufwrite(s, 0xadd, "\x04", 0x1);
    qtest_bufwrite(s, 0xaed, "\x04", 0x1);
    qtest_bufwrite(s, 0xafd, "\x04", 0x1);
    qtest_bufwrite(s, 0xb0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xbad, "\x04", 0x1);
    qtest_bufwrite(s, 0xbbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xbcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xbdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xbed, "\x04", 0x1);
    qtest_bufwrite(s, 0xbfd, "\x04", 0x1);
    qtest_bufwrite(s, 0xc0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xcad, "\x04", 0x1);
    qtest_bufwrite(s, 0xcbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xccd, "\x04", 0x1);
    qtest_bufwrite(s, 0xcdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xced, "\x04", 0x1);
    qtest_bufwrite(s, 0xcfd, "\x04", 0x1);
    qtest_bufwrite(s, 0xd0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xdad, "\x04", 0x1);
    qtest_bufwrite(s, 0xdbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xdcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xddd, "\x04", 0x1);
    qtest_bufwrite(s, 0xded, "\x04", 0x1);
    qtest_bufwrite(s, 0xdfd, "\x04", 0x1);
    qtest_bufwrite(s, 0xe0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xead, "\x04", 0x1);
    qtest_bufwrite(s, 0xebd, "\x04", 0x1);
    qtest_bufwrite(s, 0xecd, "\x04", 0x1);
    qtest_bufwrite(s, 0xedd, "\x04", 0x1);
    qtest_bufwrite(s, 0xeed, "\x04", 0x1);
    qtest_bufwrite(s, 0xefd, "\x04", 0x1);
    qtest_bufwrite(s, 0xf0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xfad, "\x04", 0x1);
    qtest_bufwrite(s, 0xfbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xfcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xfdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xfed, "\x24", 0x1);
    qtest_bufwrite(s, 0xffd, "\x24", 0x1);
    qtest_bufwrite(s, 0x100d, "\x24", 0x1);
    qtest_bufwrite(s, 0x101d, "\x24", 0x1);
    qtest_bufwrite(s, 0x102d, "\x24", 0x1);
    qtest_bufwrite(s, 0x1041, "\x6d", 0x1);
    qtest_bufwrite(s, 0x104d, "\x2c", 0x1);
    qtest_bufwrite(s, 0x104f, "\x05", 0x1);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_bufwrite(s, 0x6d04, "\x03", 0x1);
    qtest_bufwrite(s, 0x6d26, "\x04", 0x1);
    qtest_bufwrite(s, 0x6d41, "\x04", 0x1);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_bufwrite(s, 0xffff00002e656014, "\x01\x00\x00\x00", 0x4);
    qtest_quit(s);
}
int main(int argc, char **argv)
{
    const char *arch = qtest_get_arch();

    g_test_init(&argc, &argv, NULL);

    if (strcmp(arch, "i386") == 0) {
        qtest_add_func("fuzz/test_fuzz", test_fuzz);
    }

    return g_test_run();
}