================================================================== BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:562 [inline] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x2ab/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:680 Read of size 49126 at addr ffff8880191f8000 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:120 print_address_description+0x5f/0x3a0 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report+0x15e/0x200 mm/kasan/report.c:413 check_memory_region_inline mm/kasan/generic.c:134 [inline] check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:185 memcpy+0x25/0x60 mm/kasan/shadow.c:64 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:562 [inline] ath9k_hif_usb_rx_cb+0x2ab/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:680 __usb_hcd_giveback_urb+0x375/0x520 drivers/usb/core/hcd.c:1656 dummy_timer+0xa22/0x2e70 drivers/usb/gadget/udc/dummy_hcd.c:1971 call_timer_fn+0x91/0x160 kernel/time/timer.c:1417 expire_timers kernel/time/timer.c:1462 [inline] __run_timers+0x6c0/0x8a0 kernel/time/timer.c:1731 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1744 __do_softirq+0x318/0x714 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x9a/0xe0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu+0x1d8/0x200 kernel/softirq.c:420 irq_exit_rcu+0x5/0x20 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0xe0/0xf0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:629 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:79 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:169 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:516 [inline] RIP: 0010:acpi_idle_enter+0x3c9/0x700 drivers/acpi/processor_idle.c:647 Code: 08 31 ff e8 79 5f 60 fd 48 83 e3 08 0f 85 06 01 00 00 e8 0a 57 66 fd e9 0c 00 00 00 e8 b0 5a 60 fd 0f 00 2d 39 8e 02 06 fb f4 <9c> 8f 44 24 10 48 8d 44 24 10 48 c1 e8 03 42 80 3c 38 00 74 0a 48 RSP: 0018:ffffc90000d47dc0 EFLAGS: 00000282 RAX: aba4ab126157c300 RBX: 0000000000000000 RCX: ffffffff8ff5ca03 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888015842800 R08: ffffffff817ddd30 R09: ffffed10023b46f1 R10: ffffed10023b46f1 R11: 0000000000000000 R12: ffff8880180c7004 R13: ffff888015842864 R14: 1ffff11003018e00 R15: dffffc0000000000 cpuidle_enter_state+0x486/0xd50 drivers/cpuidle/cpuidle.c:237 cpuidle_enter+0x59/0x90 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:158 [inline] cpuidle_idle_call kernel/sched/idle.c:239 [inline] do_idle+0x315/0x530 kernel/sched/idle.c:299 cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:396 secondary_startup_64_no_verify+0xb0/0xbb The buggy address belongs to the page: page:00000000f3d37e67 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x191f8 head:00000000f3d37e67 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010000(head) raw: 00fff00000010000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888019200000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888019200080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888019200100: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888019200180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888019200200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================