BUG: sleeping function called from invalid context at drivers/usb/core/urb.c:705
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 28, name: kworker/1:1
preempt_count: 100, expected: 0
RCU nest depth: 1, expected: 0
6 locks held by kworker/1:1/28:
 #0: ffff888105e86d48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x1310/0x19a0 kernel/workqueue.c:3251
 #1: ffffc900001e7d18 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x988/0x19a0 kernel/workqueue.c:3252
 #2: ffff88810b7da1e0
 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
 #3: ffff888135dea1e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 #3: ffff888135dea1e0 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1068
 #4: ffff888117c381a8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 #4: ffff888117c381a8 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1068
 #5: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #5: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #5: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1193 [inline]
 #5: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: unwind_next_frame+0xbd/0x1ea0 arch/x86/kernel/unwind_orc.c:495
irq event stamp: 20068101
hardirqs last  enabled at (20068100): [<ffffffff876c80e2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last  enabled at (20068100): [<ffffffff876c80e2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (20068101): [<ffffffff876c7df2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (20068101): [<ffffffff876c7df2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last  enabled at (20068074): [<ffffffff86470f40>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last  enabled at (20068074): [<ffffffff86470f40>] __alloc_skb+0x5c0/0x710 net/core/skbuff.c:695
softirqs last disabled at (20068077): [<ffffffff8177002d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (20068077): [<ffffffff8177002d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (20068077): [<ffffffff8177002d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<ffffffff8176f5d5>] softirq_handle_begin kernel/softirq.c:463 [inline]
[<ffffffff8176f5d5>] handle_softirqs+0xf5/0x9d0 kernel/softirq.c:598
CPU: 1 UID: 0 PID: 28 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 __might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8888
 usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:705
 usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
 if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
 if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
 dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
 handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:trace_lock_release include/trace/events/lock.h:69 [inline]
RIP: 0010:lock_release+0x25e/0x320 kernel/locking/lockdep.c:5879
Code: c7 c7 c0 73 76 89 e8 41 b7 07 00 65 49 ff 44 24 08 65 8b 05 a8 90 66 0b 83 f8 07 0f 86 e3 fd ff ff 90 0f 0b 90 e9 da fd ff ff <e8> dd 69 08 00 84 c0 0f 85 db fd ff ff 48 8d 3d de 91 62 09 67 48
RSP: 0018:ffffc900001e69e8 EFLAGS: 00000297
RAX: 0000000000000001 RBX: ffffffff896de760 RCX: ffffffff8b53f901
RDX: 0000000000000000 RSI: ffffffff816f880e RDI: ffffffff896de760
RBP: ffffffff816f880e R08: 0000000000000001 R09: 0000000000000007
R10: 0000000000000200 R11: 0000000000007fd0 R12: ffffc900001e6af0
R13: ffffc900001e6aa0 R14: ffffc900001e7eb0 R15: ffffc900001e6ad4
 rcu_lock_release include/linux/rcupdate.h:322 [inline]
 rcu_read_unlock include/linux/rcupdate.h:881 [inline]
 class_rcu_destructor include/linux/rcupdate.h:1193 [inline]
 unwind_next_frame+0x3c3/0x1ea0 arch/x86/kernel/unwind_orc.c:495
 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_save_track+0x14/0x30 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5260 [inline]
 __kmalloc_noprof+0x302/0x810 mm/slub.c:5272
 kmalloc_noprof include/linux/slab.h:954 [inline]
 usb_alloc_urb+0x66/0xa0 drivers/usb/core/urb.c:75
 ath6kl_usb_post_recv_transfers.constprop.0+0x87/0x3d0 drivers/net/wireless/ath/ath6kl/usb.c:431
 ath6kl_usb_start_recv_pipes drivers/net/wireless/ath/ath6kl/usb.c:497 [inline]
 hif_start drivers/net/wireless/ath/ath6kl/usb.c:702 [inline]
 ath6kl_usb_power_on+0x8e/0x160 drivers/net/wireless/ath/ath6kl/usb.c:1061
 ath6kl_hif_power_on drivers/net/wireless/ath/ath6kl/hif-ops.h:136 [inline]
 ath6kl_core_init+0x173/0x11b0 drivers/net/wireless/ath/ath6kl/core.c:97
 ath6kl_usb_probe+0xcd0/0x13e0 drivers/net/wireless/ath/ath6kl/usb.c:1167
 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:643 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:721
 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:863
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:893
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1021
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1093
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1148
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x11d9/0x1950 drivers/base/core.c:3691
 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2268
 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:643 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:721
 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:863
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:893
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1021
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1093
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1148
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x11d9/0x1950 drivers/base/core.c:3691
 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953
 process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276
 process_scheduled_works kernel/workqueue.c:3359 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
BUG: scheduling while atomic: kworker/1:1/28/0x00000101
6 locks held by kworker/1:1/28:
 #0: ffff888105e86d48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x1310/0x19a0 kernel/workqueue.c:3251
 #1: ffffc900001e7d18 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x988/0x19a0 kernel/workqueue.c:3252
 #2: ffff88810b7da1e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 #2: ffff88810b7da1e0 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
 #3: ffff888135dea1e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 #3: ffff888135dea1e0 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1068
 #4: ffff888117c381a8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 #4: ffff888117c381a8 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1068
 #5: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #5: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #5: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1193 [inline]
 #5: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: unwind_next_frame+0xbd/0x1ea0 arch/x86/kernel/unwind_orc.c:495
Modules linked in:
irq event stamp: 20068101
hardirqs last  enabled at (20068100): [<ffffffff876c80e2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last  enabled at (20068100): [<ffffffff876c80e2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (20068101): [<ffffffff876c7df2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (20068101): [<ffffffff876c7df2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last  enabled at (20068074): [<ffffffff86470f40>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last  enabled at (20068074): [<ffffffff86470f40>] __alloc_skb+0x5c0/0x710 net/core/skbuff.c:695
softirqs last disabled at (20068077): [<ffffffff8177002d>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (20068077): [<ffffffff8177002d>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (20068077): [<ffffffff8177002d>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<ffffffff8176f5d5>] softirq_handle_begin kernel/softirq.c:463 [inline]
[<ffffffff8176f5d5>] handle_softirqs+0xf5/0x9d0 kernel/softirq.c:598
----------------
Code disassembly (best guess):
   0:	c7 c7 c0 73 76 89    	mov    $0x897673c0,%edi
   6:	e8 41 b7 07 00       	call   0x7b74c
   b:	65 49 ff 44 24 08    	incq   %gs:0x8(%r12)
  11:	65 8b 05 a8 90 66 0b 	mov    %gs:0xb6690a8(%rip),%eax        # 0xb6690c0
  18:	83 f8 07             	cmp    $0x7,%eax
  1b:	0f 86 e3 fd ff ff    	jbe    0xfffffe04
  21:	90                   	nop
  22:	0f 0b                	ud2
  24:	90                   	nop
  25:	e9 da fd ff ff       	jmp    0xfffffe04
* 2a:	e8 dd 69 08 00       	call   0x86a0c <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 db fd ff ff    	jne    0xfffffe12
  37:	48 8d 3d de 91 62 09 	lea    0x96291de(%rip),%rdi        # 0x962921c
  3e:	67                   	addr32
  3f:	48                   	rex.W