================================================================== BUG: KASAN: stack-out-of-bounds in cp2112_write_req drivers/hid/hid-cp2112.c:482 [inline] BUG: KASAN: stack-out-of-bounds in cp2112_xfer+0x5f8/0xd68 drivers/hid/hid-cp2112.c:699 Read of size 42 at addr ffff800021577b61 by task syz.0.823/7329 CPU: 0 PID: 7329 Comm: syz.0.823 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Call trace: dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106 print_address_description+0x88/0x218 mm/kasan/report.c:316 print_report+0x50/0x68 mm/kasan/report.c:420 kasan_report+0xa8/0xfc mm/kasan/report.c:524 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x258/0x290 mm/kasan/generic.c:189 memcpy+0x48/0x90 mm/kasan/shadow.c:65 cp2112_write_req drivers/hid/hid-cp2112.c:482 [inline] cp2112_xfer+0x5f8/0xd68 drivers/hid/hid-cp2112.c:699 __i2c_smbus_xfer+0x59c/0x21ec drivers/i2c/i2c-core-smbus.c:590 i2c_smbus_xfer+0x1f0/0x314 drivers/i2c/i2c-core-smbus.c:545 i2cdev_ioctl_smbus+0x458/0x6b4 drivers/i2c/i2c-dev.c:381 i2cdev_ioctl+0x734/0x974 drivers/i2c/i2c-dev.c:467 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 The buggy address belongs to stack of task syz.0.823/7329 and is located at offset 33 in frame: i2cdev_ioctl_smbus+0x0/0x6b4 drivers/i2c/i2c-dev.c:309 This frame has 1 object: [32, 66) 'temp' The buggy address belongs to a 8-page vmalloc region starting at 0xffff800021570000 allocated at copy_process+0x4e8/0x36e4 kernel/fork.c:2186 The buggy address belongs to the physical page: page:000000003a2a2f9c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1372e3 memcg:ffff0000c3dd4502 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff0000c3dd4502 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff800021577a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff800021577b00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 >ffff800021577b80: 02 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 ^ ffff800021577c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f8 f8 ffff800021577c80: f2 f2 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 ================================================================== cp2112 0003:10C4:EA90.0001: Error starting transaction: -38