KASAN: slab-out-of-bounds Read in mcp2221_raw

Title	Replies (including bot)	Last reply
[syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event	0 (1)	2024/12/06 20:05

==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0xf98/0x1030 drivers/hid/hid-mcp2221.c:852
Read of size 1 at addr ffff8881083f7fff by task kworker/1:1/52

CPU: 1 UID: 0 PID: 52 Comm: kworker/1:1 Not tainted 6.13.0-rc3-syzkaller-g362a7993ed01 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 mcp2221_raw_event+0xf98/0x1030 drivers/hid/hid-mcp2221.c:852
 __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111
 hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:285
 __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x17f0/0x3930 drivers/usb/gadget/udc/dummy_hcd.c:1993
 __run_hrtimer kernel/time/hrtimer.c:1739 [inline]
 __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820
 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a4/0xc60 kernel/printk/printk.c:3211
Code: 00 e8 10 de 27 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 9e 38 20 00 48 85 db 0f 85 55 01 00 00 e8 20 36 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 25 fe 79
RSP: 0000:ffffc90000537208 EFLAGS: 00000287
RAX: ffffffff893a8cd8 RBX: 0000000000000000 RCX: ffffc9000f746000
RDX: 0000000000100000 RSI: ffffffff813b2440 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000006 R12: ffffffff893a8cd8
R13: ffffffff893a8c80 R14: ffffc90000537298 R15: dffffc0000000000
 __console_flush_and_unlock kernel/printk/printk.c:3269 [inline]
 console_unlock+0xd9/0x210 kernel/printk/printk.c:3309
 vprintk_emit+0x424/0x6f0 kernel/printk/printk.c:2432
 dev_vprintk_emit drivers/base/core.c:4935 [inline]
 dev_printk_emit+0xfb/0x140 drivers/base/core.c:4946
 __dev_printk+0xf5/0x270 drivers/base/core.c:4958
 _dev_notice+0xe5/0x120 drivers/base/core.c:5003
 usb_parse_endpoint drivers/usb/core/config.c:284 [inline]
 usb_parse_interface drivers/usb/core/config.c:594 [inline]
 usb_parse_configuration drivers/usb/core/config.c:807 [inline]
 usb_get_configuration+0x34e9/0x5e50 drivers/usb/core/config.c:956
 usb_enumerate_device drivers/usb/core/hub.c:2483 [inline]
 usb_new_device+0x1189/0x1a10 drivers/usb/core/hub.c:2621
 hub_port_connect drivers/usb/core/hub.c:5521 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
 port_event drivers/usb/core/hub.c:5821 [inline]
 hub_event+0x2e58/0x4f40 drivers/usb/core/hub.c:5903
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5219:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6e/0x70 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4119 [inline]
 slab_alloc_node mm/slub.c:4168 [inline]
 kmem_cache_alloc_noprof+0x154/0x3b0 mm/slub.c:4175
 alloc_empty_file+0x73/0x1e0 fs/file_table.c:228
 path_openat+0xe1/0x2d60 fs/namei.c:3973
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 15:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x37/0x50 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free_after_rcu_debug+0xd2/0x2b0 mm/slub.c:4663
 rcu_do_batch kernel/rcu/tree.c:2567 [inline]
 rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823
 handle_softirqs+0x206/0x8d0 kernel/softirq.c:561
 run_ksoftirqd kernel/softirq.c:950 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:942
 smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0x9b/0xb0 mm/kasan/generic.c:544
 slab_free_hook mm/slub.c:2314 [inline]
 slab_free mm/slub.c:4613 [inline]
 kmem_cache_free+0x2e6/0x470 mm/slub.c:4715
 file_free fs/file_table.c:76 [inline]
 fput+0x3ad/0x440 fs/file_table.c:505
 path_openat+0xec1/0x2d60 fs/namei.c:3996
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8881083f7dc0
 which belongs to the cache filp of size 360
The buggy address is located 215 bytes to the right of
 allocated 360-byte region [ffff8881083f7dc0, ffff8881083f7f28)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1083f6
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88811e516e01
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100ae1500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000120012 00000001f5000000 ffff88811e516e01
head: 0200000000000040 ffff888100ae1500 dead000000000100 dead000000000122
head: 0000000000000000 0000000000120012 00000001f5000000 ffff88811e516e01
head: 0200000000000001 ffffea000420fd81 ffffffffffffffff 0000000000000000
head: ffff888100000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6402, tgid 6402 (rm), ts 215423086341, free_ts 215418769542
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x21c/0x22a0 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0xeb/0x400 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xd1d/0x16e0 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 kmem_cache_alloc_noprof+0x1fd/0x3b0 mm/slub.c:4175
 alloc_empty_file+0x73/0x1e0 fs/file_table.c:228
 path_openat+0xe1/0x2d60 fs/namei.c:3973
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6388 tgid 6388 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0xe40 mm/page_alloc.c:2657
 mm_free_pgd kernel/fork.c:809 [inline]
 __mmdrop+0xd5/0x460 kernel/fork.c:925
 mmdrop include/linux/sched/mm.h:55 [inline]
 mmdrop_sched include/linux/sched/mm.h:83 [inline]
 mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline]
 finish_task_switch.isra.0+0x584/0xa40 kernel/sched/core.c:5268
 context_switch kernel/sched/core.c:5372 [inline]
 __schedule+0x1034/0x34b0 kernel/sched/core.c:6756
 __schedule_loop kernel/sched/core.c:6833 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6848
 exit_to_user_mode_loop kernel/entry/common.c:102 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xec/0x260 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff8881083f7e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881083f7f00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>ffff8881083f7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff8881083f8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881083f8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 10 de 27 00       	call   0x27de15
   5:	9c                   	pushf
   6:	5b                   	pop    %rbx
   7:	81 e3 00 02 00 00    	and    $0x200,%ebx
   d:	31 ff                	xor    %edi,%edi
   f:	48 89 de             	mov    %rbx,%rsi
  12:	e8 9e 38 20 00       	call   0x2038b5
  17:	48 85 db             	test   %rbx,%rbx
  1a:	0f 85 55 01 00 00    	jne    0x175
  20:	e8 20 36 20 00       	call   0x203645
  25:	fb                   	sti
  26:	4c 89 e0             	mov    %r12,%rax
* 29:	48 c1 e8 03          	shr    $0x3,%rax <-- trapping instruction
  2d:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  32:	0f 84 11 ff ff ff    	je     0xffffff49
  38:	4c 89 e7             	mov    %r12,%rdi
  3b:	e8                   	.byte 0xe8
  3c:	25                   	.byte 0x25
  3d:	fe                   	(bad)
  3e:	79                   	.byte 0x79

Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2024/12/20 15:02	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	362a7993ed01	0f61b415	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/17 06:07	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	362a7993ed01	eec85da6	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/17 02:42	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	362a7993ed01	eec85da6	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/15 07:32	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	7cbfbb3a	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/14 21:49	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	7cbfbb3a	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/14 15:01	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	7cbfbb3a	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/14 08:19	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	7cbfbb3a	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/10 08:26	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	cfc402b4	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/10 02:10	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	cfc402b4	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/09 20:55	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	9ac0fdc6	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/09 11:35	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	9ac0fdc6	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/09 00:35	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	9ac0fdc6	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/07 03:15	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	9ac0fdc6	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/06 20:04	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	9ac0fdc6	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/05 12:43	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	29f61fce	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/04 00:15	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	cdd30ebb1b9f	b50eb251	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/01 06:06	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	237d4e0f4113	68914665	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/01 05:35	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	237d4e0f4113	68914665	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in mcp2221_raw_event
2024/12/17 18:41	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	362a7993ed01	f93b2b55	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: use-after-free Read in mcp2221_raw_event
2024/12/11 04:11	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	d8d936c51388	cfc402b4	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: use-after-free Read in mcp2221_raw_event