usb 1-1: RX USB error -2.
usb 1-1: error -1 when submitting rx urb
==================================================================
BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 drivers/net/wireless/ath/ar5523/ar5523.c:228
Read of size 8 at addr ffff88811c3db3f0 by task udevd/1289

CPU: 1 PID: 1289 Comm: udevd Not tainted 5.19.0-rc7-syzkaller-00142-g88a15fbb47db #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 ar5523_cmd_tx_cb+0x220/0x240 drivers/net/wireless/ath/ar5523/ar5523.c:228
 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1747
 dummy_timer+0x11f9/0x32b0 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers.part.0+0x679/0xa80 kernel/time/timer.c:1790
 __run_timers kernel/time/timer.c:1768 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
 __do_softirq+0x288/0x9a5 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x113/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1106
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0033:0x7f3ee98b1815
Code: 89 44 24 10 49 89 54 24 18 48 81 fb ff 03 00 00 0f 87 2f 01 00 00 4c 89 65 70 4c 89 60 18 48 89 d8 48 83 c8 01 49 89 44 24 08 <49> 89 1c 1c 48 81 fb ff ff 00 00 0f 87 e2 01 00 00 8b 44 24 1c 85
RSP: 002b:00007ffe56559490 EFLAGS: 00010206
RAX: 00000000000010b1 RBX: 00000000000010b0 RCX: 00000000000000a1
RDX: 00007f3ee99e6a60 RSI: 0000000000000000 RDI: 000055da6dd021c0
RBP: 00007f3ee99e6a00 R08: 0000000000000007 R09: 000055da6dcf45f0
R10: 00007ffe56559500 R11: 00007ffe56559500 R12: 000055da6dd011b0
R13: 000055da6dd021c0 R14: 00000000000000a0 R15: 000055da6dcd0910
 </TASK>

The buggy address belongs to the physical page:
page:ffffea000470f6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c3db
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 ffffea000470f6c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 1144, tgid 1144 (kworker/1:2), ts 28358197528, free_ts 30468384276
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0x138c/0x27a0 mm/page_alloc.c:4198
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
 kmalloc_order+0x34/0xf0 mm/slab_common.c:945
 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:961
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 wiphy_new_nm+0x6f0/0x2080 net/wireless/core.c:440
 ieee80211_alloc_hw_nm+0x373/0x2270 net/mac80211/main.c:585
 ieee80211_alloc_hw include/net/mac80211.h:4412 [inline]
 ar5523_probe+0x121/0x1da0 drivers/net/wireless/ath/ar5523/ar5523.c:1595
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:555 [inline]
 really_probe+0x23e/0xb90 drivers/base/dd.c:634
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:764
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:794
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:917
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x1e4/0x530 drivers/base/dd.c:989
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x537/0xb80 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x19/0x5a0 mm/page_alloc.c:3438
 device_release+0x9f/0x240 drivers/base/core.c:2241
 kobject_cleanup lib/kobject.c:673 [inline]
 kobject_release lib/kobject.c:704 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1c8/0x540 lib/kobject.c:721
 put_device+0x1b/0x30 drivers/base/core.c:3535
 ar5523_probe+0x1338/0x1da0 drivers/net/wireless/ath/ar5523/ar5523.c:1719
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:555 [inline]
 really_probe+0x23e/0xb90 drivers/base/dd.c:634
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:764
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:794
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:917
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x1e4/0x530 drivers/base/dd.c:989
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xbda/0x1ea0 drivers/base/core.c:3428
 usb_set_configuration+0x101e/0x1900 drivers/usb/core/message.c:2170

Memory state around the buggy address:
 ffff88811c3db280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811c3db300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811c3db380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                             ^
 ffff88811c3db400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811c3db480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================