==================================================================
BUG: KASAN: vmalloc-out-of-bounds in copy_play_buf+0x4d1/0x9a0 sound/drivers/aloop.c:603
Write of size 128 at addr ffffc9000f748000 by task kworker/u8:0/10906
CPU: 1 PID: 10906 Comm: kworker/u8:0 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
copy_play_buf+0x4d1/0x9a0 sound/drivers/aloop.c:603
loopback_jiffies_timer_pos_update+0xd19/0x1630 sound/drivers/aloop.c:693
loopback_jiffies_timer_function+0x64/0x240 sound/drivers/aloop.c:706
call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers kernel/time/timer.c:2417 [inline]
__run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
run_timer_base kernel/time/timer.c:2437 [inline]
run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:ieee80211_sta_get_rates+0x2ff/0x660 net/mac80211/util.c:1552
Code: 84 db 0f 99 c0 44 08 f0 88 44 24 07 4c 8b 74 24 28 49 bc 00 00 00 00 00 fc ff df 45 31 ff 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 <74> 08 4c 89 f7 e8 07 25 f8 f6 49 63 c7 4d 8b 36 4c 8d 2c 40 4b 8d
RSP: 0018:ffffc900038b7798 EFLAGS: 00000246
RAX: 1ffff1100b5d8616 RBX: 000000000000003c RCX: ffff888020bf5a00
RDX: 0000000000000000 RSI: 000000000000003c RDI: 000000000000005a
RBP: 000000000000005a R08: ffffffff8b03c6dc R09: 1ffffffff1f5aa15
R10: dffffc0000000000 R11: fffffbfff1f5aa16 R12: dffffc0000000000
R13: 000000000000000c R14: ffff88805aec30b0 R15: 0000000000000005
ieee80211_update_sta_info net/mac80211/ibss.c:988 [inline]
ieee80211_rx_bss_info net/mac80211/ibss.c:1097 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1578 [inline]
ieee80211_ibss_rx_queued_mgmt+0x11e1/0x2d70 net/mac80211/ibss.c:1605
ieee80211_iface_process_skb net/mac80211/iface.c:1605 [inline]
ieee80211_iface_work+0x8a3/0xf10 net/mac80211/iface.c:1659
cfg80211_wiphy_work+0x221/0x260 net/wireless/core.c:437
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Memory state around the buggy address:
ffffc9000f747f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000f747f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9000f748000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000f748080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000f748100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
----------------
Code disassembly (best guess):
0: 84 db test %bl,%bl
2: 0f 99 c0 setns %al
5: 44 08 f0 or %r14b,%al
8: 88 44 24 07 mov %al,0x7(%rsp)
c: 4c 8b 74 24 28 mov 0x28(%rsp),%r14
11: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
18: fc ff df
1b: 45 31 ff xor %r15d,%r15d
1e: 4c 89 f0 mov %r14,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
* 2a: 74 08 je 0x34 <-- trapping instruction
2c: 4c 89 f7 mov %r14,%rdi
2f: e8 07 25 f8 f6 call 0xf6f8253b
34: 49 63 c7 movslq %r15d,%rax
37: 4d 8b 36 mov (%r14),%r14
3a: 4c 8d 2c 40 lea (%rax,%rax,2),%r13
3e: 4b rex.WXB
3f: 8d .byte 0x8d