bisecting fixing commit since 324c92e5e0ee0e993bdb106fac407846ed677f6b
building syzkaller on 0740de696b19a870c7208bd97f3194988281c282
testing commit 324c92e5e0ee0e993bdb106fac407846ed677f6b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7abcb0eeef92b5526d6babd10d2c00c4b0f45358e641cba65a030f143d3ef7d2
all runs: crashed: WARNING in vmk80xx_auto_attach/usb_submit_urb
testing current HEAD 34f4335c16a5f4bb7da6c8d2d5e780b6a163846a
testing commit 34f4335c16a5f4bb7da6c8d2d5e780b6a163846a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8bfdfcb6af4e54c8746eac61ed34a0c8f4a5b7b86e03924487bb0dabc0027c65
run #0: crashed: KASAN: slab-out-of-bounds Write in vmk80xx_auto_attach
run #1: crashed: KASAN: slab-out-of-bounds Write in vmk80xx_auto_attach
run #2: crashed: KASAN: slab-out-of-bounds Write in vmk80xx_auto_attach
run #3: crashed: KASAN: slab-out-of-bounds Write in vmk80xx_auto_attach
run #4: crashed: KASAN: slab-out-of-bounds Write in vmk80xx_auto_attach
run #5: crashed: KASAN: slab-out-of-bounds Write in vmk80xx_auto_attach
run #6: crashed: KASAN: slab-out-of-bounds Write in vmk80xx_auto_attach
run #7: boot failed: INFO: task hung in add_early_randomness
run #8: boot failed: INFO: task hung in add_early_randomness
run #9: boot failed: INFO: task hung in add_early_randomness
revisions tested: 2, total time: 26m47.832412894s (build: 12m34.169221739s, test: 13m17.571959194s)
the crash still happens on HEAD
commit msg: Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
crash: KASAN: slab-out-of-bounds Write in vmk80xx_auto_attach
usb 1-1: config 0 interface 59 altsetting 0 bulk endpoint 0xB has invalid maxpacket 296
usb 1-1: config 0 interface 59 altsetting 0 bulk endpoint 0x8A has invalid maxpacket 1
usb 1-1: New USB device found, idVendor=10cf, idProduct=5503, bcdDevice=8f.60
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: slab-out-of-bounds in vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:226 [inline]
BUG: KASAN: slab-out-of-bounds in vmk80xx_auto_attach+0x136e/0x19c0 drivers/comedi/drivers/vmk80xx.c:818
Write of size 296 at addr ffff888024222000 by task kworker/0:1/14

CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 5.19.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memset+0x20/0x40 mm/kasan/shadow.c:44
 vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:226 [inline]
 vmk80xx_auto_attach+0x136e/0x19c0 drivers/comedi/drivers/vmk80xx.c:818
 comedi_auto_config+0x138/0x1e0 drivers/comedi/drivers.c:1066
 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:555 [inline]
 really_probe+0x1c1/0xa40 drivers/base/dd.c:634
 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:764
 driver_probe_device+0x44/0x110 drivers/base/dd.c:794
 __device_attach_driver+0x185/0x250 drivers/base/dd.c:917
 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427
 __device_attach+0x19e/0x440 drivers/base/dd.c:989
 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487
 device_add+0xa14/0x1b80 drivers/base/core.c:3417
 usb_set_configuration+0xa66/0x18b0 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0x74/0xa0 drivers/usb/core/generic.c:238
 usb_probe_device+0x95/0x240 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:555 [inline]
 really_probe+0x1c1/0xa40 drivers/base/dd.c:634
 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:764
 driver_probe_device+0x44/0x110 drivers/base/dd.c:794
 __device_attach_driver+0x185/0x250 drivers/base/dd.c:917
 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427
 __device_attach+0x19e/0x440 drivers/base/dd.c:989
 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487
 device_add+0xa14/0x1b80 drivers/base/core.c:3417
 usb_new_device.cold+0x5d1/0xeeb drivers/usb/core/hub.c:2566
 hub_port_connect drivers/usb/core/hub.c:5363 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]
 port_event drivers/usb/core/hub.c:5663 [inline]
 hub_event+0x114d/0x39d0 drivers/usb/core/hub.c:5745
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>

Allocated by task 14:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 vmk80xx_alloc_usb_buffers drivers/comedi/drivers/vmk80xx.c:688 [inline]
 vmk80xx_auto_attach+0x782/0x19c0 drivers/comedi/drivers/vmk80xx.c:811
 comedi_auto_config+0x138/0x1e0 drivers/comedi/drivers.c:1066
 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:555 [inline]
 really_probe+0x1c1/0xa40 drivers/base/dd.c:634
 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:764
 driver_probe_device+0x44/0x110 drivers/base/dd.c:794
 __device_attach_driver+0x185/0x250 drivers/base/dd.c:917
 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427
 __device_attach+0x19e/0x440 drivers/base/dd.c:989
 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487
 device_add+0xa14/0x1b80 drivers/base/core.c:3417
 usb_set_configuration+0xa66/0x18b0 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0x74/0xa0 drivers/usb/core/generic.c:238
 usb_probe_device+0x95/0x240 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:555 [inline]
 really_probe+0x1c1/0xa40 drivers/base/dd.c:634
 __driver_probe_device+0x2a6/0x460 drivers/base/dd.c:764
 driver_probe_device+0x44/0x110 drivers/base/dd.c:794
 __device_attach_driver+0x185/0x250 drivers/base/dd.c:917
 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:427
 __device_attach+0x19e/0x440 drivers/base/dd.c:989
 bus_probe_device+0x19d/0x250 drivers/base/bus.c:487
 device_add+0xa14/0x1b80 drivers/base/core.c:3417
 usb_new_device.cold+0x5d1/0xeeb drivers/usb/core/hub.c:2566
 hub_port_connect drivers/usb/core/hub.c:5363 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]
 port_event drivers/usb/core/hub.c:5663 [inline]
 hub_event+0x114d/0x39d0 drivers/usb/core/hub.c:5745
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

The buggy address belongs to the object at ffff888024222000
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff888024222000, ffff888024222040)

The buggy address belongs to the physical page:
page:ffffea0000908880 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24222
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000001 ffff888010041640
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 3010, tgid 3010 (udevadm), ts 7524768251, free_ts 6612238921
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0x19d3/0x3b30 mm/page_alloc.c:4198
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
 alloc_slab_page mm/slub.c:1797 [inline]
 allocate_slab+0x26c/0x3c0 mm/slub.c:1942
 new_slab mm/slub.c:2002 [inline]
 ___slab_alloc+0x950/0xd90 mm/slub.c:3002
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3089
 slab_alloc_node mm/slub.c:3180 [inline]
 slab_alloc mm/slub.c:3222 [inline]
 __kmalloc+0x318/0x350 mm/slub.c:4413
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 tomoyo_encode2.part.0+0x92/0x310 security/tomoyo/realpath.c:45
 tomoyo_realpath_from_path+0x140/0x6a0 security/tomoyo/realpath.c:288
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x1fb/0x350 security/tomoyo/file.c:822
 security_inode_getattr+0xab/0x100 security/security.c:1344
 vfs_getattr fs/stat.c:157 [inline]
 vfs_statx+0xf4/0x2e0 fs/stat.c:232
 vfs_fstatat+0x4f/0x70 fs/stat.c:255
 __do_sys_newfstatat+0x72/0xd0 fs/stat.c:425
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3438
 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:359
 apply_to_pte_range mm/memory.c:2625 [inline]
 apply_to_pmd_range mm/memory.c:2669 [inline]
 apply_to_pud_range mm/memory.c:2705 [inline]
 apply_to_p4d_range mm/memory.c:2741 [inline]
 __apply_to_page_range+0x501/0xbc0 mm/memory.c:2775
 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:469
 __purge_vmap_area_lazy+0x701/0x2320 mm/vmalloc.c:1722
 drain_vmap_area_work+0x49/0xc0 mm/vmalloc.c:1751
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

Memory state around the buggy address:
 ffff888024221f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888024221f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888024222000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff888024222080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888024222100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================