syzbot

------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 1 PID: 3270 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 1 PID: 3270 Comm: kworker/1:4 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:502
Code: 7c 24 18 e8 c0 0d ef fb 48 8b 7c 24 18 e8 a6 6f 03 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 40 dc 8f 8a e8 2b c3 ac 03 <0f> 0b e9 58 f8 ff ff e8 92 0d ef fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc900033cee40 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff888018369d80 RSI: ffffffff8161f148 RDI: fffff52000679dba
RBP: ffff8880207d60a0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff888020eda8e8 R14: 0000000000000002 R15: ffff888017039100
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffea4c8a228 CR3: 0000000074a64000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 carl9170_usb_submit_cmd_urb+0x7e/0x130 drivers/net/wireless/ath/carl9170/usb.c:229
 __carl9170_exec_cmd+0x30b/0x5b0 drivers/net/wireless/ath/carl9170/usb.c:643
 carl9170_reboot+0xab/0xf0 drivers/net/wireless/ath/carl9170/cmd.c:141
 carl9170_usb_disconnect+0xee/0x130 drivers/net/wireless/ath/carl9170/usb.c:1116
 usb_unbind_interface+0x1d8/0x8e0 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:520 [inline]
 device_remove+0x11f/0x170 drivers/base/dd.c:512
 __device_release_driver drivers/base/dd.c:1209 [inline]
 device_release_driver_internal+0x4a1/0x700 drivers/base/dd.c:1235
 usb_driver_release_interface drivers/usb/core/driver.c:627 [inline]
 usb_forced_unbind_intf+0x136/0x210 drivers/usb/core/driver.c:1118
 usb_reset_device+0x39b/0x990 drivers/usb/core/hub.c:6104
 carl9170_usb_probe+0x48/0xd30 drivers/net/wireless/ath/carl9170/usb.c:1044
 usb_probe_interface+0x30b/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:530 [inline]
 really_probe+0x249/0xb90 drivers/base/dd.c:609
 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:748
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:778
 __device_attach_driver+0x206/0x2e0 drivers/base/dd.c:901
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x1e4/0x530 drivers/base/dd.c:973
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xbd5/0x1e90 drivers/base/core.c:3517
 usb_set_configuration+0x1019/0x1900 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
 usb_probe_device+0xd4/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:530 [inline]
 really_probe+0x249/0xb90 drivers/base/dd.c:609
 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:748
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:778
 __device_attach_driver+0x206/0x2e0 drivers/base/dd.c:901
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x1e4/0x530 drivers/base/dd.c:973
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xbd5/0x1e90 drivers/base/core.c:3517
 usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573
 hub_port_connect drivers/usb/core/hub.c:5353 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
 port_event drivers/usb/core/hub.c:5653 [inline]
 hub_event+0x26c7/0x4610 drivers/usb/core/hub.c:5735
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>