dev: loaded udev
DUID 00:04:60:53:42:71:88:b7:f6:77:35:a2:41:23:0b:7b:f3:52
forked to background, child pid 1217
[   11.319085][ T1236] ssh-keygen (1236) used greatest stack depth: 23408 bytes left
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.178' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   27.756928][ T1144] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   27.996939][ T1144] usb 1-1: Using ep0 maxpacket: 16
[   28.117045][ T1144] usb 1-1: config 0 interface 0 altsetting 0 bulk endpoint 0x81 has invalid maxpacket 1024
[   28.287038][ T1144] usb 1-1: New USB device found, idVendor=1435, idProduct=0826, bcdDevice=1c.50
[   28.296101][ T1144] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   28.304131][ T1144] usb 1-1: Product: syz
[   28.308319][ T1144] usb 1-1: Manufacturer: syz
[   28.312899][ T1144] usb 1-1: SerialNumber: syz
[   28.321371][ T1144] usb 1-1: config 0 descriptor??
[   28.337579][ T1286] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   28.376948][    C1] usb 1-1: RX USB error -71.
[   28.396949][    C1] usb 1-1: RX USB error -71.
[   28.416929][    C1] usb 1-1: RX USB error -71.
[   28.436922][    C1] usb 1-1: RX USB error -71.
[   28.456928][    C1] usb 1-1: RX USB error -71.
[   28.476937][    C1] usb 1-1: RX USB error -71.
[   28.496934][    C1] usb 1-1: RX USB error -71.
[   28.516934][    C1] usb 1-1: RX USB error -71.
[   28.536903][    C1] usb 1-1: RX USB error -71.
[   28.556919][    C1] usb 1-1: RX USB error -71.
[   28.576905][    C1] usb 1-1: RX USB error -71.
[   28.596894][    C1] usb 1-1: RX USB error -71.
[   28.616899][    C1] usb 1-1: RX USB error -71.
[   28.636919][    C1] usb 1-1: RX USB error -71.
[   28.656908][    C1] usb 1-1: RX USB error -71.
[   28.676903][    C1] usb 1-1: RX USB error -71.
[   28.696918][    C1] usb 1-1: RX USB error -71.
[   28.716901][    C1] usb 1-1: RX USB error -71.
[   28.736918][    C1] usb 1-1: RX USB error -71.
[   28.756907][    C1] usb 1-1: RX USB error -71.
[   28.776925][    C1] usb 1-1: RX USB error -71.
[   28.796929][    C1] usb 1-1: RX USB error -71.
[   28.816901][    C1] usb 1-1: RX USB error -71.
[   28.836914][    C1] usb 1-1: RX USB error -71.
[   28.856912][    C1] usb 1-1: RX USB error -71.
[   28.876901][    C1] usb 1-1: RX USB error -71.
[   28.896908][    C1] usb 1-1: RX USB error -71.
[   28.916902][    C1] usb 1-1: RX USB error -71.
[   28.936911][    C1] usb 1-1: RX USB error -71.
[   28.956931][    C1] usb 1-1: RX USB error -71.
[   28.976925][    C1] usb 1-1: RX USB error -71.
[   28.996899][    C1] usb 1-1: RX USB error -71.
[   29.016901][    C1] usb 1-1: RX USB error -71.
[   29.036902][    C1] usb 1-1: RX USB error -71.
[   29.056898][    C1] usb 1-1: RX USB error -71.
[   29.076917][    C1] usb 1-1: RX USB error -71.
[   29.096902][    C1] usb 1-1: RX USB error -71.
[   29.116929][    C1] usb 1-1: RX USB error -71.
[   29.136902][    C1] usb 1-1: RX USB error -71.
[   29.156895][    C1] usb 1-1: RX USB error -71.
[   29.176904][    C1] usb 1-1: RX USB error -71.
[   29.196907][    C1] usb 1-1: RX USB error -71.
[   29.216899][    C1] usb 1-1: RX USB error -71.
[   29.236909][    C1] usb 1-1: RX USB error -71.
[   29.256921][    C1] usb 1-1: RX USB error -71.
[   29.276921][    C1] usb 1-1: RX USB error -71.
[   29.296898][    C1] usb 1-1: RX USB error -71.
[   29.316899][    C1] usb 1-1: RX USB error -71.
[   29.336902][    C1] usb 1-1: RX USB error -71.
[   29.356936][    C1] usb 1-1: RX USB error -71.
[   29.376925][    C1] usb 1-1: RX USB error -71.
[   29.396914][    C1] usb 1-1: RX USB error -71.
[   29.416906][    C1] usb 1-1: RX USB error -71.
[   29.436920][    C1] usb 1-1: RX USB error -71.
[   29.456912][    C1] usb 1-1: RX USB error -71.
[   29.476930][    C1] usb 1-1: RX USB error -71.
[   29.496907][    C1] usb 1-1: RX USB error -71.
[   29.516895][    C1] usb 1-1: RX USB error -71.
[   29.536903][    C1] usb 1-1: RX USB error -71.
[   29.556897][    C1] usb 1-1: RX USB error -71.
[   29.576925][    C1] usb 1-1: RX USB error -71.
[   29.596926][    C1] usb 1-1: RX USB error -71.
[   29.616888][    C1] usb 1-1: RX USB error -71.
[   29.636927][    C1] usb 1-1: RX USB error -71.
[   29.656903][    C1] usb 1-1: RX USB error -71.
[   29.676903][    C1] usb 1-1: RX USB error -71.
[   29.696915][    C1] usb 1-1: RX USB error -71.
[   29.716921][    C1] usb 1-1: RX USB error -71.
[   29.736916][    C1] usb 1-1: RX USB error -71.
[   29.756903][    C1] usb 1-1: RX USB error -71.
[   29.776917][    C1] usb 1-1: RX USB error -71.
[   29.796904][    C1] usb 1-1: RX USB error -71.
[   29.816917][    C1] usb 1-1: RX USB error -71.
[   29.836922][    C1] usb 1-1: RX USB error -71.
[   29.856902][    C1] usb 1-1: RX USB error -71.
[   29.876915][    C1] usb 1-1: RX USB error -71.
[   29.896919][    C1] usb 1-1: RX USB error -71.
[   29.916901][    C1] usb 1-1: RX USB error -71.
[   29.936922][    C1] usb 1-1: RX USB error -71.
[   29.956908][    C1] usb 1-1: RX USB error -71.
[   29.976899][    C1] usb 1-1: RX USB error -71.
[   29.996921][    C1] usb 1-1: RX USB error -71.
[   30.016908][    C1] usb 1-1: RX USB error -71.
[   30.036905][    C1] usb 1-1: RX USB error -71.
[   30.056918][    C1] usb 1-1: RX USB error -71.
[   30.076901][    C1] usb 1-1: RX USB error -71.
[   30.096920][    C1] usb 1-1: RX USB error -71.
[   30.116910][    C1] usb 1-1: RX USB error -71.
[   30.136919][    C1] usb 1-1: RX USB error -71.
[   30.156895][    C1] usb 1-1: RX USB error -71.
[   30.176924][    C1] usb 1-1: RX USB error -71.
[   30.196898][    C1] usb 1-1: RX USB error -71.
[   30.216915][    C1] usb 1-1: RX USB error -71.
[   30.236908][    C1] usb 1-1: RX USB error -71.
[   30.256897][    C1] usb 1-1: RX USB error -71.
[   30.276882][    C1] usb 1-1: RX USB error -71.
[   30.296884][    C1] usb 1-1: RX USB error -71.
[   30.316904][    C1] usb 1-1: RX USB error -71.
[   30.336925][    C1] usb 1-1: RX USB error -71.
[   30.356926][    C1] usb 1-1: RX USB error -71.
[   30.376915][    C1] usb 1-1: RX USB error -71.
[   30.396921][    C1] usb 1-1: RX USB error -71.
[   30.416883][    C1] usb 1-1: RX USB error -71.
[   30.436893][    C1] usb 1-1: RX USB error -71.
[   30.441572][ T1144] usb 1-1: timeout waiting for command 01 reply
[   30.447906][ T1144] usb 1-1: could not initialize adapter
[   30.456929][    C1] usb 1-1: RX USB error -2.
[   30.461562][    C1] usb 1-1: error -1 when submitting rx urb
[   30.468414][ T1144] ar5523: probe of 1-1:0.0 failed with error -110
executing program
[   32.489008][   T71] usb 1-1: USB disconnect, device number 2
[   32.496903][    C1] ==================================================================
[   32.504984][    C1] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240
[   32.512405][    C1] Read of size 8 at addr ffff88811c3db3f0 by task udevd/1289
[   32.519818][    C1] 
[   32.522131][    C1] CPU: 1 PID: 1289 Comm: udevd Not tainted 5.19.0-rc7-syzkaller-00142-g88a15fbb47db #0
[   32.531740][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[   32.541779][    C1] Call Trace:
[   32.545042][    C1]  <TASK>
[   32.547963][    C1]  dump_stack_lvl+0xcd/0x134
[   32.552542][    C1]  print_address_description.constprop.0.cold+0xeb/0x495
[   32.559553][    C1]  ? ar5523_cmd_tx_cb+0x220/0x240
[   32.564566][    C1]  kasan_report.cold+0xf4/0x1c6
[   32.569402][    C1]  ? ar5523_cmd_tx_cb+0x220/0x240
[   32.574411][    C1]  ar5523_cmd_tx_cb+0x220/0x240
[   32.579248][    C1]  __usb_hcd_giveback_urb+0x2b0/0x5c0
[   32.584623][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   32.589815][    C1]  dummy_timer+0x11f9/0x32b0
[   32.594396][    C1]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   32.600366][    C1]  ? dummy_dequeue+0x500/0x500
[   32.605133][    C1]  ? dummy_dequeue+0x500/0x500
[   32.609882][    C1]  call_timer_fn+0x1a5/0x6b0
[   32.614460][    C1]  ? timer_fixup_activate+0x350/0x350
[   32.619817][    C1]  ? lock_downgrade+0x6e0/0x6e0
[   32.624656][    C1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   32.629844][    C1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   32.635028][    C1]  ? dummy_dequeue+0x500/0x500
[   32.639783][    C1]  __run_timers.part.0+0x679/0xa80
[   32.644884][    C1]  ? call_timer_fn+0x6b0/0x6b0
[   32.649633][    C1]  ? lapic_next_event+0x4d/0x80
[   32.654469][    C1]  ? clockevents_program_event+0x12b/0x370
[   32.660261][    C1]  run_timer_softirq+0xb3/0x1d0
[   32.665098][    C1]  __do_softirq+0x288/0x9a5
[   32.669586][    C1]  __irq_exit_rcu+0x113/0x170
[   32.674245][    C1]  irq_exit_rcu+0x5/0x20
[   32.678472][    C1]  sysvec_apic_timer_interrupt+0x40/0xc0
[   32.684087][    C1]  asm_sysvec_apic_timer_interrupt+0x16/0x20
[   32.690050][    C1] RIP: 0033:0x7f3ee98b1815
[   32.694448][    C1] Code: 89 44 24 10 49 89 54 24 18 48 81 fb ff 03 00 00 0f 87 2f 01 00 00 4c 89 65 70 4c 89 60 18 48 89 d8 48 83 c8 01 49 89 44 24 08 <49> 89 1c 1c 48 81 fb ff ff 00 00 0f 87 e2 01 00 00 8b 44 24 1c 85
[   32.714040][    C1] RSP: 002b:00007ffe56559490 EFLAGS: 00010206
[   32.720091][    C1] RAX: 00000000000010b1 RBX: 00000000000010b0 RCX: 00000000000000a1
[   32.728045][    C1] RDX: 00007f3ee99e6a60 RSI: 0000000000000000 RDI: 000055da6dd021c0
[   32.735999][    C1] RBP: 00007f3ee99e6a00 R08: 0000000000000007 R09: 000055da6dcf45f0
[   32.743951][    C1] R10: 00007ffe56559500 R11: 00007ffe56559500 R12: 000055da6dd011b0
[   32.751908][    C1] R13: 000055da6dd021c0 R14: 00000000000000a0 R15: 000055da6dcd0910
[   32.759954][    C1]  </TASK>
[   32.762956][    C1] 
[   32.765261][    C1] The buggy address belongs to the physical page:
[   32.771647][    C1] page:ffffea000470f6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c3db
[   32.781865][    C1] flags: 0x200000000000000(node=0|zone=2)
[   32.787571][    C1] raw: 0200000000000000 0000000000000000 ffffea000470f6c8 0000000000000000
[   32.796135][    C1] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   32.804696][    C1] page dumped because: kasan: bad access detected
[   32.811086][    C1] page_owner tracks the page as freed
[   32.816431][    C1] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 1144, tgid 1144 (kworker/1:2), ts 28358197528, free_ts 30468384276
[   32.834223][    C1]  get_page_from_freelist+0x138c/0x27a0
[   32.839763][    C1]  __alloc_pages+0x1c7/0x510
[   32.844340][    C1]  alloc_pages+0x1aa/0x310
[   32.848741][    C1]  kmalloc_order+0x34/0xf0
[   32.853137][    C1]  kmalloc_order_trace+0x14/0x120
[   32.858142][    C1]  wiphy_new_nm+0x6f0/0x2080
[   32.862717][    C1]  ieee80211_alloc_hw_nm+0x373/0x2270
[   32.868085][    C1]  ar5523_probe+0x121/0x1da0
[   32.872657][    C1]  usb_probe_interface+0x315/0x7f0
[   32.877751][    C1]  really_probe+0x23e/0xb90
[   32.882237][    C1]  __driver_probe_device+0x338/0x4d0
[   32.887503][    C1]  driver_probe_device+0x4c/0x1a0
[   32.892509][    C1]  __device_attach_driver+0x20b/0x2f0
[   32.897863][    C1]  bus_for_each_drv+0x15f/0x1e0
[   32.902695][    C1]  __device_attach+0x1e4/0x530
[   32.907439][    C1]  bus_probe_device+0x1e4/0x290
[   32.912273][    C1] page last free stack trace:
[   32.916924][    C1]  free_pcp_prepare+0x537/0xb80
[   32.921757][    C1]  free_unref_page+0x19/0x5a0
[   32.926419][    C1]  device_release+0x9f/0x240
[   32.931008][    C1]  kobject_put+0x1c8/0x540
[   32.935421][    C1]  put_device+0x1b/0x30
[   32.939561][    C1]  ar5523_probe+0x1338/0x1da0
[   32.944218][    C1]  usb_probe_interface+0x315/0x7f0
[   32.946969][   T71] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[   32.949307][    C1]  really_probe+0x23e/0xb90
[   32.956794][   T71] dummy_hcd dummy_hcd.0: usb_device address has changed!
[   32.961225][    C1]  __driver_probe_device+0x338/0x4d0
[   32.973615][    C1]  driver_probe_device+0x4c/0x1a0
[   32.978660][    C1]  __device_attach_driver+0x20b/0x2f0
[   32.984046][    C1]  bus_for_each_drv+0x15f/0x1e0
[   32.988884][    C1]  __device_attach+0x1e4/0x530
[   32.993631][    C1]  bus_probe_device+0x1e4/0x290
[   32.998463][    C1]  device_add+0xbda/0x1ea0
[   33.002865][    C1]  usb_set_configuration+0x101e/0x1900
[   33.008311][    C1] 
[   33.010617][    C1] Memory state around the buggy address:
[   33.016234][    C1]  ffff88811c3db280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.024275][    C1]  ffff88811c3db300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.032318][    C1] >ffff88811c3db380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.040358][    C1]                                                              ^
[   33.048065][    C1]  ffff88811c3db400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.056114][    C1]  ffff88811c3db480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   33.064162][    C1] ==================================================================
[   33.072206][    C1] Kernel panic - not syncing: panic_on_warn set ...
[   33.078773][    C1] CPU: 1 PID: 1289 Comm: udevd Not tainted 5.19.0-rc7-syzkaller-00142-g88a15fbb47db #0
[   33.088403][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
[   33.098440][    C1] Call Trace:
[   33.101705][    C1]  <TASK>
[   33.104620][    C1]  dump_stack_lvl+0xcd/0x134
[   33.109199][    C1]  panic+0x2d7/0x636
[   33.113081][    C1]  ? panic_print_sys_info.part.0+0x10b/0x10b
[   33.119050][    C1]  ? ar5523_cmd_tx_cb+0x220/0x240
[   33.124061][    C1]  end_report.part.0+0x3f/0x7c
[   33.128817][    C1]  kasan_report.cold+0x93/0x1c6
[   33.133651][    C1]  ? ar5523_cmd_tx_cb+0x220/0x240
[   33.138688][    C1]  ar5523_cmd_tx_cb+0x220/0x240
[   33.143524][    C1]  __usb_hcd_giveback_urb+0x2b0/0x5c0
[   33.148885][    C1]  usb_hcd_giveback_urb+0x367/0x410
[   33.154079][    C1]  dummy_timer+0x11f9/0x32b0
[   33.158656][    C1]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   33.164623][    C1]  ? dummy_dequeue+0x500/0x500
[   33.169373][    C1]  ? dummy_dequeue+0x500/0x500
[   33.174130][    C1]  call_timer_fn+0x1a5/0x6b0
[   33.178720][    C1]  ? timer_fixup_activate+0x350/0x350
[   33.184077][    C1]  ? lock_downgrade+0x6e0/0x6e0
[   33.188911][    C1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   33.194097][    C1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   33.199285][    C1]  ? dummy_dequeue+0x500/0x500
[   33.204033][    C1]  __run_timers.part.0+0x679/0xa80
[   33.209147][    C1]  ? call_timer_fn+0x6b0/0x6b0
[   33.213897][    C1]  ? lapic_next_event+0x4d/0x80
[   33.218736][    C1]  ? clockevents_program_event+0x12b/0x370
[   33.224531][    C1]  run_timer_softirq+0xb3/0x1d0
[   33.229384][    C1]  __do_softirq+0x288/0x9a5
[   33.233872][    C1]  __irq_exit_rcu+0x113/0x170
[   33.238533][    C1]  irq_exit_rcu+0x5/0x20
[   33.242775][    C1]  sysvec_apic_timer_interrupt+0x40/0xc0
[   33.248490][    C1]  asm_sysvec_apic_timer_interrupt+0x16/0x20
[   33.254457][    C1] RIP: 0033:0x7f3ee98b1815
[   33.258857][    C1] Code: 89 44 24 10 49 89 54 24 18 48 81 fb ff 03 00 00 0f 87 2f 01 00 00 4c 89 65 70 4c 89 60 18 48 89 d8 48 83 c8 01 49 89 44 24 08 <49> 89 1c 1c 48 81 fb ff ff 00 00 0f 87 e2 01 00 00 8b 44 24 1c 85
[   33.278476][    C1] RSP: 002b:00007ffe56559490 EFLAGS: 00010206
[   33.284542][    C1] RAX: 00000000000010b1 RBX: 00000000000010b0 RCX: 00000000000000a1
[   33.292502][    C1] RDX: 00007f3ee99e6a60 RSI: 0000000000000000 RDI: 000055da6dd021c0
[   33.300463][    C1] RBP: 00007f3ee99e6a00 R08: 0000000000000007 R09: 000055da6dcf45f0
[   33.308427][    C1] R10: 00007ffe56559500 R11: 00007ffe56559500 R12: 000055da6dd011b0
[   33.316486][    C1] R13: 000055da6dd021c0 R14: 00000000000000a0 R15: 000055da6dcd0910
[   33.324538][    C1]  </TASK>
[   33.327762][    C1] Kernel Offset: disabled
[   33.332085][    C1] Rebooting in 86400 seconds..