usb 1-1: received invalid command response:got 60, instead of 4
==================================================================
BUG: KASAN: stack-out-of-bounds in carl9170_cmd_callback drivers/net/wireless/ath/carl9170/rx.c:153 [inline]
BUG: KASAN: stack-out-of-bounds in carl9170_handle_command_response+0x21f/0xc50 drivers/net/wireless/ath/carl9170/rx.c:168
Write of size 60 at addr ffffc90003517a38 by task syz-executor/2972

CPU: 0 UID: 0 PID: 2972 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(lazy) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x13d/0x4b0 mm/kasan/report.c:482
 kasan_report+0xdf/0x1d0 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:186 [inline]
 kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
 __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
 carl9170_cmd_callback drivers/net/wireless/ath/carl9170/rx.c:153 [inline]
 carl9170_handle_command_response+0x21f/0xc50 drivers/net/wireless/ath/carl9170/rx.c:168
 carl9170_usb_rx_irq_complete+0xfc/0x1b0 drivers/net/wireless/ath/carl9170/usb.c:307
 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
 dummy_timer+0xda1/0x36c0 drivers/usb/gadget/udc/dummy_hcd.c:2005
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x470/0xa00 kernel/time/hrtimer.c:1994
 hrtimer_run_softirq+0x17d/0x2c0 kernel/time/hrtimer.c:2011
 handle_softirqs+0x1dd/0x9e0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x160/0x210 kernel/softirq.c:735
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1061
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x4/0x20 kernel/kcov.c:321
Code: 89 fe bf 05 00 00 00 e9 2a fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 0c 24 48 89 f2 48 89 fe bf 07 00 00 00 e9 f8 fd ff ff 0f 1f
RSP: 0018:ffffc90001947458 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000026 RCX: ffffffff821d8a8f
RDX: ffff888123573b80 RSI: 0000000000000000 RDI: 0000000000000fff
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: dffffc0000000000 R15: 0000000000000000
 __nr_to_section+0xa3/0xe0 include/linux/mmzone.h:2061
 __pfn_to_section include/linux/mmzone.h:2198 [inline]
 pfn_valid include/linux/mmzone.h:2280 [inline]
 page_table_check_set+0x3b/0x920 mm/page_table_check.c:105
 __page_table_check_ptes_set+0x1db/0x230 mm/page_table_check.c:212
 page_table_check_ptes_set include/linux/page_table_check.h:83 [inline]
 set_ptes include/linux/pgtable.h:413 [inline]
 __copy_present_ptes mm/memory.c:1118 [inline]
 copy_present_ptes mm/memory.c:1197 [inline]
 copy_pte_range mm/memory.c:1320 [inline]
 copy_pmd_range mm/memory.c:1408 [inline]
 copy_pud_range mm/memory.c:1445 [inline]
 copy_p4d_range mm/memory.c:1469 [inline]
 copy_page_range+0x1c87/0x56a0 mm/memory.c:1555
 dup_mmap+0xcd8/0x1f60 mm/mmap.c:1840
 dup_mm kernel/fork.c:1534 [inline]
 copy_mm kernel/fork.c:1586 [inline]
 copy_process+0x4928/0x7c70 kernel/fork.c:2264
 kernel_clone+0x176/0x9e0 kernel/fork.c:2722
 __do_sys_clone+0xd9/0x120 kernel/fork.c:2863
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f41fbbb58d2
Code: 89 e7 e8 71 8b f7 ff 45 31 c0 31 d2 31 f6 64 48 8b 04 25 10 00 00 00 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 66 89 c5 85 c0 75 3b 64 48 8b 04 25 10 00 00
RSP: 002b:00007ffd96f41680 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007ffd96f41680 RCX: 00007f41fbbb58d2
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007ffd96f4180c R08: 0000000000000000 R09: 0000000000000001
R10: 000055559030f7d0 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000927c0 R14: 00000000001d1d57 R15: 00007ffd96f41860
 </TASK>

The buggy address belongs to a 8-page vmalloc region starting at 0xffffc90003510000 allocated at kernel_clone+0x176/0x9e0 kernel/fork.c:2722
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x142487
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 12152, tgid 12152 (syz.0.1862), ts 985205448642, free_ts 981001298425
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xfd/0x120 mm/page_alloc.c:1853
 prep_new_page mm/page_alloc.c:1861 [inline]
 get_page_from_freelist+0x20a5/0x3850 mm/page_alloc.c:3941
 __alloc_frozen_pages_noprof+0x273/0x28a0 mm/page_alloc.c:5221
 alloc_pages_mpol+0xe8/0x410 mm/mempolicy.c:2490
 alloc_pages_noprof+0x1a/0x160 mm/mempolicy.c:2581
 vm_area_alloc_pages mm/vmalloc.c:3653 [inline]
 __vmalloc_area_node mm/vmalloc.c:3878 [inline]
 __vmalloc_node_range_noprof+0xf9a/0x1630 mm/vmalloc.c:4064
 __vmalloc_node_noprof+0xad/0xf0 mm/vmalloc.c:4124
 alloc_thread_stack_node kernel/fork.c:357 [inline]
 dup_task_struct kernel/fork.c:926 [inline]
 copy_process+0x7fb/0x7c70 kernel/fork.c:2090
 kernel_clone+0x176/0x9e0 kernel/fork.c:2722
 __do_sys_clone3+0x214/0x290 kernel/fork.c:3024
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x10b/0x7f0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 28 tgid 28 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1397 [inline]
 __free_frozen_pages+0x6d8/0xf60 mm/page_alloc.c:2938
 vfree mm/vmalloc.c:3472 [inline]
 vfree+0x15f/0x8d0 mm/vmalloc.c:3436
 __free_kvfree include/linux/slab.h:1235 [inline]
 hid_parse_collections drivers/hid/hid-core.c:1262 [inline]
 hid_open_report.cold+0x71/0x161 drivers/hid/hid-core.c:1384
 __hid_device_probe drivers/hid/hid-core.c:2824 [inline]
 hid_device_probe+0x68c/0x800 drivers/hid/hid-core.c:2859
 call_driver_probe drivers/base/dd.c:631 [inline]
 really_probe+0x241/0xa60 drivers/base/dd.c:709
 __driver_probe_device+0x22e/0x480 drivers/base/dd.c:871
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:901
 __device_attach_driver+0x1df/0x340 drivers/base/dd.c:1029
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500
 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1101
 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1156
 bus_probe_device+0x64/0x160 drivers/base/bus.c:613
 device_add+0x1210/0x1950 drivers/base/core.c:3706
 hid_add_device+0x2bf/0x440 drivers/hid/hid-core.c:3003
 usbhid_probe+0xc3c/0x1230 drivers/hid/usbhid/hid-core.c:1449
 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396

Memory state around the buggy address:
 ffffc90003517900: f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00
 ffffc90003517980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90003517a00: 00 f1 f1 f1 f1 f1 f1 04 f2 04 f3 f3 f3 00 00 00
                                        ^
 ffffc90003517a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90003517b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	89 fe                	mov    %edi,%esi
   2:	bf 05 00 00 00       	mov    $0x5,%edi
   7:	e9 2a fe ff ff       	jmp    0xfffffe36
   c:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  13:	00 00 00
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	90                   	nop
  1b:	90                   	nop
  1c:	90                   	nop
  1d:	90                   	nop
  1e:	90                   	nop
  1f:	90                   	nop
  20:	90                   	nop
  21:	90                   	nop
  22:	90                   	nop
  23:	90                   	nop
  24:	90                   	nop
  25:	90                   	nop
  26:	f3 0f 1e fa          	endbr64
* 2a:	48 8b 0c 24          	mov    (%rsp),%rcx <-- trapping instruction
  2e:	48 89 f2             	mov    %rsi,%rdx
  31:	48 89 fe             	mov    %rdi,%rsi
  34:	bf 07 00 00 00       	mov    $0x7,%edi
  39:	e9 f8 fd ff ff       	jmp    0xfffffe36
  3e:	0f                   	.byte 0xf
  3f:	1f                   	(bad)