================================================================== BUG: KASAN: stack-out-of-bounds in cp2112_write_req drivers/hid/hid-cp2112.c:482 [inline] BUG: KASAN: stack-out-of-bounds in cp2112_xfer+0x5e8/0xd58 drivers/hid/hid-cp2112.c:699 Read of size 42 at addr ffff8000210a7b61 by task syz.0.410/5779 CPU: 1 PID: 5779 Comm: syz.0.410 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106 print_address_description+0x88/0x218 mm/kasan/report.c:316 print_report+0x50/0x68 mm/kasan/report.c:420 kasan_report+0xa8/0x100 mm/kasan/report.c:524 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x260/0x2a0 mm/kasan/generic.c:189 memcpy+0x48/0x90 mm/kasan/shadow.c:65 cp2112_write_req drivers/hid/hid-cp2112.c:482 [inline] cp2112_xfer+0x5e8/0xd58 drivers/hid/hid-cp2112.c:699 __i2c_smbus_xfer+0x584/0x2150 drivers/i2c/i2c-core-smbus.c:590 i2c_smbus_xfer+0x1f0/0x314 drivers/i2c/i2c-core-smbus.c:545 i2cdev_ioctl_smbus+0x438/0x6a0 drivers/i2c/i2c-dev.c:381 i2cdev_ioctl+0x720/0x948 drivers/i2c/i2c-dev.c:467 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 The buggy address belongs to stack of task syz.0.410/5779 and is located at offset 33 in frame: i2cdev_ioctl_smbus+0x0/0x6a0 drivers/i2c/i2c-dev.c:309 This frame has 1 object: [32, 66) 'temp' The buggy address belongs to a 8-page vmalloc region starting at 0xffff8000210a0000 allocated at copy_process+0x4c8/0x3670 kernel/fork.c:2186 The buggy address belongs to the physical page: page:0000000010898c56 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11d815 memcg:ffff0000f769af02 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff0000f769af02 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000210a7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8000210a7b00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 >ffff8000210a7b80: 02 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 ^ ffff8000210a7c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 00 ffff8000210a7c80: f2 f2 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 ================================================================== cp2112 0003:10C4:EA90.0001: Error starting transaction: -38