==================================================================
BUG: KASAN: slab-out-of-bounds in vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:226 [inline]
BUG: KASAN: slab-out-of-bounds in vmk80xx_auto_attach+0x136e/0x19c0 drivers/comedi/drivers/vmk80xx.c:818
Write of size 296 at addr ffff888019af1c00 by task kworker/1:10/4025

CPU: 1 PID: 4025 Comm: kworker/1:10 Not tainted 5.18.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memset+0x20/0x40 mm/kasan/shadow.c:44
 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:226 [inline]
 vmk80xx_auto_attach+0x136e/0x19c0 drivers/comedi/drivers/vmk80xx.c:818
 comedi_auto_config+0x138/0x1e0 drivers/comedi/drivers.c:1066
 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:541 [inline]
 really_probe+0x1c1/0x9d0 drivers/base/dd.c:620
 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:751
 driver_probe_device+0x44/0x110 drivers/base/dd.c:781
 __device_attach_driver+0x185/0x250 drivers/base/dd.c:898
 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427
 __device_attach+0x1db/0x410 drivers/base/dd.c:969
 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487
 device_add+0x9ca/0x1b10 drivers/base/core.c:3405
 usb_set_configuration+0xa66/0x18b0 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0x74/0xa0 drivers/usb/core/generic.c:238
 usb_probe_device+0x95/0x240 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:541 [inline]
 really_probe+0x1c1/0x9d0 drivers/base/dd.c:620
 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:751
 driver_probe_device+0x44/0x110 drivers/base/dd.c:781
 __device_attach_driver+0x185/0x250 drivers/base/dd.c:898
 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427
 __device_attach+0x1db/0x410 drivers/base/dd.c:969
 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487
 device_add+0x9ca/0x1b10 drivers/base/core.c:3405
 usb_new_device.cold+0x5d1/0xeeb drivers/usb/core/hub.c:2566
 hub_port_connect drivers/usb/core/hub.c:5363 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]
 port_event drivers/usb/core/hub.c:5665 [inline]
 hub_event+0x114d/0x39b0 drivers/usb/core/hub.c:5747
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>

Allocated by task 4025:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kmalloc include/linux/slab.h:586 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 vmk80xx_alloc_usb_buffers drivers/comedi/drivers/vmk80xx.c:688 [inline]
 vmk80xx_auto_attach+0x782/0x19c0 drivers/comedi/drivers/vmk80xx.c:811
 comedi_auto_config+0x138/0x1e0 drivers/comedi/drivers.c:1066
 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:541 [inline]
 really_probe+0x1c1/0x9d0 drivers/base/dd.c:620
 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:751
 driver_probe_device+0x44/0x110 drivers/base/dd.c:781
 __device_attach_driver+0x185/0x250 drivers/base/dd.c:898
 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427
 __device_attach+0x1db/0x410 drivers/base/dd.c:969
 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487
 device_add+0x9ca/0x1b10 drivers/base/core.c:3405
 usb_set_configuration+0xa66/0x18b0 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0x74/0xa0 drivers/usb/core/generic.c:238
 usb_probe_device+0x95/0x240 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:541 [inline]
 really_probe+0x1c1/0x9d0 drivers/base/dd.c:620
 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:751
 driver_probe_device+0x44/0x110 drivers/base/dd.c:781
 __device_attach_driver+0x185/0x250 drivers/base/dd.c:898
 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427
 __device_attach+0x1db/0x410 drivers/base/dd.c:969
 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487
 device_add+0x9ca/0x1b10 drivers/base/core.c:3405
 usb_new_device.cold+0x5d1/0xeeb drivers/usb/core/hub.c:2566
 hub_port_connect drivers/usb/core/hub.c:5363 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]
 port_event drivers/usb/core/hub.c:5665 [inline]
 hub_event+0x114d/0x39b0 drivers/usb/core/hub.c:5747
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

The buggy address belongs to the object at ffff888019af1c00
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff888019af1c00, ffff888019af1c40)

The buggy address belongs to the physical page:
page:ffffea000066bc40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19af1
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0000714c00 dead000000000002 ffff88800fc41640
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 969, tgid 969 (kworker/u4:4), ts 4701974649, free_ts 4701252279
 prep_new_page mm/page_alloc.c:2441 [inline]
 get_page_from_freelist+0x178d/0x3da0 mm/page_alloc.c:4182
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab+0x26c/0x3c0 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0x8e1/0xf20 mm/slub.c:3005
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
 slab_alloc_node mm/slub.c:3183 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmalloc+0x318/0x350 mm/slub.c:4410
 kmalloc include/linux/slab.h:586 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 lsm_task_alloc security/security.c:614 [inline]
 security_task_alloc+0xca/0x200 security/security.c:1660
 copy_process+0x1f9d/0x68d0 kernel/fork.c:2216
 kernel_clone+0xb8/0x7f0 kernel/fork.c:2639
 kernel_thread+0xa3/0xe0 kernel/fork.c:2691
 call_usermodehelper_exec_work kernel/umh.c:174 [inline]
 call_usermodehelper_exec_work+0xa4/0x140 kernel/umh.c:160
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1356 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3328 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3423
 mm_free_pgd kernel/fork.c:739 [inline]
 __mmdrop+0xb9/0x350 kernel/fork.c:790
 free_bprm+0x5b/0x290 fs/exec.c:1484
 kernel_execve+0x2e7/0x400 fs/exec.c:1999
 call_usermodehelper_exec_async+0x2c1/0x500 kernel/umh.c:112
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298

Memory state around the buggy address:
 ffff888019af1b00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff888019af1b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888019af1c00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff888019af1c80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888019af1d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================