KASAN: stack-out-of-bounds Write in i801

Title	Replies (including bot)	Last reply
[syzbot] [i2c?] KASAN: stack-out-of-bounds Write in i801_isr (3)	0 (1)	2024/03/14 11:17

Title

Replies (including bot)

Last reply

[syzbot] [i2c?] KASAN: stack-out-of-bounds Write in i801_isr (3)

0 (1)

2024/03/14 11:17

Kernel	Title	Count	Last	Reported	Patched	Status
upstream	KASAN: stack-out-of-bounds Write in i801_isr i2c	3	1256d	1339d	0/26	auto-closed as invalid on 2021/03/18 06:45
upstream	KASAN: stack-out-of-bounds Write in i801_isr (2) i2c	1	387d	382d	0/26	auto-obsoleted due to no activity on 2023/08/04 06:44
upstream	KASAN: out-of-bounds Read in i801_isr i2c	16	1041d	1081d	20/26	fixed on 2021/11/10 00:50

================================================================== BUG: KASAN: stack-out-of-bounds in i801_isr_byte_done drivers/i2c/busses/i2c-i801.c:550 [inline] BUG: KASAN: stack-out-of-bounds in i801_isr drivers/i2c/busses/i2c-i801.c:617 [inline] BUG: KASAN: stack-out-of-bounds in i801_isr+0xcfe/0xd10 drivers/i2c/busses/i2c-i801.c:598 Write of size 1 at addr ffffc900070dfd98 by task swapper/3/0 CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.8.0-rc7-syzkaller-00238-g005f6f34bd47 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 i801_isr_byte_done drivers/i2c/busses/i2c-i801.c:550 [inline] i801_isr drivers/i2c/busses/i2c-i801.c:617 [inline] i801_isr+0xcfe/0xd10 drivers/i2c/busses/i2c-i801.c:598 __handle_irq_event_percpu+0x22a/0x750 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210 handle_fasteoi_irq+0x233/0xc20 kernel/irq/chip.c:720 generic_handle_irq_desc include/linux/irqdesc.h:161 [inline] handle_irq arch/x86/kernel/irq.c:238 [inline] __common_interrupt+0xde/0x250 arch/x86/kernel/irq.c:257 common_interrupt+0x52/0xd0 arch/x86/kernel/irq.c:247 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640 RIP: 0010:__do_softirq+0x1e0/0x8e7 kernel/softirq.c:539 Code: 89 44 24 18 44 88 74 24 3b 48 c7 c7 c0 59 0b 8b e8 65 31 fc ff 65 66 c7 05 73 ac 3b 75 00 00 e8 d6 47 ca f6 fb bb ff ff ff ff <49> c7 c6 c0 a0 40 8d 41 0f bc dc 83 c3 01 0f 85 a7 00 00 00 e9 70 RSP: 0018:ffffc900008e8f30 EFLAGS: 00000206 RAX: 00000000007499e4 RBX: 00000000ffffffff RCX: 1ffffffff1f3a679 RDX: 0000000000000000 RSI: ffffffff8b0cb3c0 RDI: ffffffff8b6e9980 RBP: 0000000100013d6f R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff8f9d6657 R11: 0000000000000000 R12: 0000000000000280 R13: 000000000000000a R14: 0000000000000001 R15: 0000000000000000 invoke_softirq kernel/softirq.c:427 [inline] __irq_exit_rcu kernel/softirq.c:632 [inline] irq_exit_rcu+0xbb/0x120 kernel/softirq.c:644 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649 RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline] RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:743 Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d b3 5d 42 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffffc90000187e08 EFLAGS: 00000246 RAX: 00000000007499dd RBX: 0000000000000003 RCX: ffffffff8ac43eab RDX: 0000000000000000 RSI: ffffffff8b0cb3c0 RDI: ffffffff8b6e9980 RBP: ffffed1002f51900 R08: 0000000000000001 R09: ffffed100d6a6ded R10: ffff88806b536f6b R11: 0000000000000000 R12: 0000000000000003 R13: ffff888017a8c800 R14: ffffffff8f9d6650 R15: 0000000000000000 default_idle_call+0x69/0xa0 kernel/sched/idle.c:97 cpuidle_idle_call kernel/sched/idle.c:170 [inline] do_idle+0x336/0x400 kernel/sched/idle.c:312 cpu_startup_entry+0x50/0x60 kernel/sched/idle.c:410 start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:336 secondary_startup_64_no_verify+0x170/0x17b </TASK> The buggy address belongs to the virtual mapping at [ffffc900070d8000, ffffc900070e1000) created by: kernel_clone+0xfd/0x930 kernel/fork.c:2902 The buggy address belongs to the physical page: page:ffffea0000c2b400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30ad0 memcg:ffff88810914d102 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88810914d102 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 11717, tgid 11717 (syz-executor.2), ts 1114592091976, free_ts 1114514350228 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1533 prep_new_page mm/page_alloc.c:1540 [inline] get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311 __alloc_pages+0x22c/0x2430 mm/page_alloc.c:4569 alloc_pages_mpol+0x258/0x600 mm/mempolicy.c:2133 vm_area_alloc_pages mm/vmalloc.c:3063 [inline] __vmalloc_area_node mm/vmalloc.c:3139 [inline] __vmalloc_node_range+0xa6e/0x1540 mm/vmalloc.c:3320 alloc_thread_stack_node kernel/fork.c:307 [inline] dup_task_struct kernel/fork.c:1112 [inline] copy_process+0x150b/0x97b0 kernel/fork.c:2327 kernel_clone+0xfd/0x930 kernel/fork.c:2902 __do_sys_clone3+0x1f5/0x270 kernel/fork.c:3203 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 page last free pid 5219 tgid 5219 stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1140 [inline] free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2346 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486 __folio_put_small mm/swap.c:106 [inline] __folio_put+0xc3/0x110 mm/swap.c:129 folio_put include/linux/mm.h:1494 [inline] put_page include/linux/mm.h:1563 [inline] free_page_and_swap_cache+0x25a/0x2d0 mm/swap_state.c:304 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] __tlb_remove_table_free mm/mmu_gather.c:154 [inline] tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:209 rcu_do_batch kernel/rcu/tree.c:2190 [inline] rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465 __do_softirq+0x21c/0x8e7 kernel/softirq.c:553 Memory state around the buggy address: ffffc900070dfc80: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 ffffc900070dfd00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 >ffffc900070dfd80: 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00 ^ ffffc900070dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 ffffc900070dfe80: f1 f1 00 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00 ================================================================== ---------------- Code disassembly (best guess): 0: 89 44 24 18 mov %eax,0x18(%rsp) 4: 44 88 74 24 3b mov %r14b,0x3b(%rsp) 9: 48 c7 c7 c0 59 0b 8b mov $0xffffffff8b0b59c0,%rdi 10: e8 65 31 fc ff call 0xfffc317a 15: 65 66 c7 05 73 ac 3b movw $0x0,%gs:0x753bac73(%rip) # 0x753bac92 1c: 75 00 00 1f: e8 d6 47 ca f6 call 0xf6ca47fa 24: fb sti 25: bb ff ff ff ff mov $0xffffffff,%ebx * 2a: 49 c7 c6 c0 a0 40 8d mov $0xffffffff8d40a0c0,%r14 <-- trapping instruction 31: 41 0f bc dc bsf %r12d,%ebx 35: 83 c3 01 add $0x1,%ebx 38: 0f 85 a7 00 00 00 jne 0xe5 3e: e9 .byte 0xe9 3f: 70 .byte 0x70

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2024/03/10 11:08	upstream	005f6f34bd47	6ee49f2e	.config	console log	report			info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream	KASAN: stack-out-of-bounds Write in i801_isr

Crashes (1):

Assets (help?)