betop 0003:11C0:5506.0001: hidraw0: USB HID v0.00 Device [HID 11c0:5506] on usb-dummy_hcd.1-1/input0
==================================================================
BUG: KASAN: slab-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: slab-out-of-bounds in betopff_init drivers/hid/hid-betopff.c:99 [inline]
BUG: KASAN: slab-out-of-bounds in betop_probe+0x2f0/0x690 drivers/hid/hid-betopff.c:134
Write of size 8 at addr ffff8880a440e5c0 by task kworker/1:5/3490

CPU: 1 PID: 3490 Comm: kworker/1:5 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x96/0xe0 lib/dump_stack.c:118
 print_address_description.constprop.4.cold.6+0x9/0x373 mm/kasan/report.c:374
 __kasan_report.cold.7+0x7a/0x92 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192
 set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
 betopff_init drivers/hid/hid-betopff.c:99 [inline]
 betop_probe+0x2f0/0x690 drivers/hid/hid-betopff.c:134
 hid_device_probe+0x274/0x360 drivers/hid/hid-core.c:2263
 really_probe+0x20b/0xb00 drivers/base/dd.c:551
 driver_probe_device+0x259/0x370 drivers/base/dd.c:724
 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431
 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897
 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
 device_add+0x10f7/0x1920 drivers/base/core.c:2500
 hid_add_device+0x2da/0x940 drivers/hid/hid-core.c:2419
 usbhid_probe+0x9b7/0xec0 drivers/hid/usbhid/hid-core.c:1386
 usb_probe_interface+0x277/0x840 drivers/usb/core/driver.c:361
 really_probe+0x20b/0xb00 drivers/base/dd.c:551
 driver_probe_device+0x259/0x370 drivers/base/dd.c:724
 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431
 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897
 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
 device_add+0x10f7/0x1920 drivers/base/core.c:2500
 usb_set_configuration+0xc81/0x1940 drivers/usb/core/message.c:2023
 generic_probe+0x61/0x8a drivers/usb/core/generic.c:210
 really_probe+0x20b/0xb00 drivers/base/dd.c:551
 driver_probe_device+0x259/0x370 drivers/base/dd.c:724
 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431
 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897
 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
 device_add+0x10f7/0x1920 drivers/base/core.c:2500
 usb_new_device+0x866/0x14e0 drivers/usb/core/hub.c:2548
 hub_port_connect drivers/usb/core/hub.c:5195 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
 port_event drivers/usb/core/hub.c:5481 [inline]
 hub_event+0x1079/0x3240 drivers/usb/core/hub.c:5563
 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264
 worker_thread+0x82/0xb50 kernel/workqueue.c:2410
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 3490:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:515 [inline]
 __kasan_kmalloc.constprop.15+0xc1/0xd0 mm/kasan/common.c:488
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 hidraw_connect+0x49/0x510 drivers/hid/hidraw.c:521
 hid_connect+0x502/0xa50 drivers/hid/hid-core.c:1939
 hid_hw_start+0x75/0x100 drivers/hid/hid-core.c:2035
 betop_probe+0x8f/0x690 drivers/hid/hid-betopff.c:128
 hid_device_probe+0x274/0x360 drivers/hid/hid-core.c:2263
 really_probe+0x20b/0xb00 drivers/base/dd.c:551
 driver_probe_device+0x259/0x370 drivers/base/dd.c:724
 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431
 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897
 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
 device_add+0x10f7/0x1920 drivers/base/core.c:2500
 hid_add_device+0x2da/0x940 drivers/hid/hid-core.c:2419
 usbhid_probe+0x9b7/0xec0 drivers/hid/usbhid/hid-core.c:1386
 usb_probe_interface+0x277/0x840 drivers/usb/core/driver.c:361
 really_probe+0x20b/0xb00 drivers/base/dd.c:551
 driver_probe_device+0x259/0x370 drivers/base/dd.c:724
 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431
 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897
 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
 device_add+0x10f7/0x1920 drivers/base/core.c:2500
 usb_set_configuration+0xc81/0x1940 drivers/usb/core/message.c:2023
 generic_probe+0x61/0x8a drivers/usb/core/generic.c:210
 really_probe+0x20b/0xb00 drivers/base/dd.c:551
 driver_probe_device+0x259/0x370 drivers/base/dd.c:724
 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431
 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897
 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
 device_add+0x10f7/0x1920 drivers/base/core.c:2500
 usb_new_device+0x866/0x14e0 drivers/usb/core/hub.c:2548
 hub_port_connect drivers/usb/core/hub.c:5195 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
 port_event drivers/usb/core/hub.c:5481 [inline]
 hub_event+0x1079/0x3240 drivers/usb/core/hub.c:5563
 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264
 worker_thread+0x82/0xb50 kernel/workqueue.c:2410
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 10:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x124/0x170 mm/kasan/common.c:476
 slab_free_hook mm/slub.c:1444 [inline]
 slab_free_freelist_hook+0x53/0x140 mm/slub.c:1477
 slab_free mm/slub.c:3024 [inline]
 kfree+0xd6/0x3c0 mm/slub.c:3976
 security_cred_free+0xa2/0x100 security/security.c:1580
 put_cred_rcu+0xe6/0x430 kernel/cred.c:114
 rcu_do_batch kernel/rcu/tree.c:2186 [inline]
 rcu_core+0x9c6/0x10b0 kernel/rcu/tree.c:2410
 __do_softirq+0x24a/0xa97 kernel/softirq.c:292

The buggy address belongs to the object at ffff8880a440e500
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes to the right of
 192-byte region [ffff8880a440e500, ffff8880a440e5c0)
The buggy address belongs to the page:
page:ffffea0002910380 refcount:1 mapcount:0 mapping:ffff8880b5802a00 index:0x0
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea0002c71800 0000000900000009 ffff8880b5802a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2151 [inline]
 prep_new_page+0x12f/0x240 mm/page_alloc.c:2157
 get_page_from_freelist+0xfc1/0x40f0 mm/page_alloc.c:3684
 __alloc_pages_nodemask+0x29c/0x830 mm/page_alloc.c:4731
 __alloc_pages include/linux/gfp.h:496 [inline]
 alloc_page_interleave+0xf/0x1a0 mm/mempolicy.c:2077
 alloc_pages include/linux/gfp.h:532 [inline]
 alloc_slab_page+0xd5/0x4e0 mm/slub.c:1515
 allocate_slab mm/slub.c:1660 [inline]
 new_slab+0x84/0x440 mm/slub.c:1726
 new_slab_objects mm/slub.c:2477 [inline]
 ___slab_alloc+0x485/0x730 mm/slub.c:2628
 __slab_alloc.isra.46+0x74/0xe0 mm/slub.c:2668
 slab_alloc_node mm/slub.c:2742 [inline]
 slab_alloc mm/slub.c:2786 [inline]
 kmem_cache_alloc_trace+0x163/0x1b0 mm/slub.c:2803
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 call_usermodehelper_setup+0x93/0x340 kernel/umh.c:386
 kobject_uevent_env+0xbe2/0x1220 lib/kobject_uevent.c:613
 kset_register+0x2b/0x40 lib/kobject.c:867
 __class_register+0x1ed/0x440 drivers/base/class.c:188
 __class_create+0xb6/0x110 drivers/base/class.c:242
 comedi_init+0xc9/0x1de drivers/staging/comedi/comedi_fops.c:3023
 do_one_initcall+0xc3/0x520 init/main.c:1152
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1163 [inline]
 free_pcp_prepare+0x3e8/0x500 mm/page_alloc.c:1198
 free_unref_page_prepare mm/page_alloc.c:3011 [inline]
 free_unref_page+0xc/0x70 mm/page_alloc.c:3060
 __vunmap+0x4db/0x860 mm/vmalloc.c:2315
 free_work+0x48/0x60 mm/vmalloc.c:66
 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264
 worker_thread+0x82/0xb50 kernel/workqueue.c:2410
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Memory state around the buggy address:
 ffff8880a440e480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a440e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a440e580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff8880a440e600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a440e680: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
==================================================================