syzbot

 sign-in | mailing list | source | docs
🐞 Open [842]
🐞 Fixed [138]
🐞 Invalid [965]
Missing Backports [76]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg

Status: upstream: reported C repro on 2025/12/18 16:35
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+ec64e4e37e67c62c4654@syzkaller.appspotmail.com
First crash: 2d13h, last: 1d23h
Bug presence (2)
Date Name Commit Repro Result
2025/12/19 linux-6.1.y (ToT) 50cbba13faa2 C [report] KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
2025/12/19 upstream (ToT) dd9b004b7ff3 C Didn't crash
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg origin:lts-only 23 C 4 7h56m 2d05h 0/3 upstream: reported C repro on 2025/12/19 00:40

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in dtv5100_i2c_msg+0x17c/0x270 drivers/media/usb/dvb-usb/dtv5100.c:58
Write of size 83 at addr ffff0000dc482e00 by task syz.0.17/4504

CPU: 1 PID: 4504 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x88/0x218 mm/kasan/report.c:316
 print_report+0x50/0x68 mm/kasan/report.c:420
 kasan_report+0xa8/0x100 mm/kasan/report.c:524
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x260/0x2a0 mm/kasan/generic.c:189
 memcpy+0x60/0x90 mm/kasan/shadow.c:66
 dtv5100_i2c_msg+0x17c/0x270 drivers/media/usb/dvb-usb/dtv5100.c:58
 dtv5100_i2c_xfer+0x210/0x358 drivers/media/usb/dvb-usb/dtv5100.c:81
 __i2c_transfer+0x610/0x21c0 drivers/i2c/i2c-core-base.c:-1
 i2c_transfer+0x1c8/0x2e4 drivers/i2c/i2c-core-base.c:2333
 i2cdev_ioctl_rdwr+0x318/0x680 drivers/i2c/i2c-dev.c:297
 i2cdev_ioctl+0x74c/0x948 drivers/i2c/i2c-dev.c:458
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Allocated by task 4372:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_alloc_info+0x28/0x34 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa0/0xb8 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:936 [inline]
 __kmalloc+0xec/0x178 mm/slab_common.c:949
 kmalloc include/linux/slab.h:568 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:167 [inline]
 dvb_usb_device_init+0x6e4/0x1958 drivers/media/usb/dvb-usb/dvb-usb-init.c:310
 dtv5100_probe+0x288/0x2c4 drivers/media/usb/dvb-usb/dtv5100.c:157
 usb_probe_interface+0x4fc/0x994 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x39c/0xae0 drivers/base/dd.c:639
 __driver_probe_device+0x180/0x314 drivers/base/dd.c:785
 driver_probe_device+0x78/0x330 drivers/base/dd.c:815
 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:943
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 __device_attach+0x2a8/0x3d4 drivers/base/dd.c:1015
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf94 drivers/base/core.c:3697
 usb_set_configuration+0x1598/0x1b0c drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8c/0x144 drivers/usb/core/generic.c:238
 usb_probe_device+0x120/0x25c drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x39c/0xae0 drivers/base/dd.c:639
 __driver_probe_device+0x180/0x314 drivers/base/dd.c:785
 driver_probe_device+0x78/0x330 drivers/base/dd.c:815
 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:943
 bus_for_each_drv+0x150/0x1d8 drivers/base/bus.c:429
 __device_attach+0x2a8/0x3d4 drivers/base/dd.c:1015
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1064
 bus_probe_device+0xbc/0x1c4 drivers/base/bus.c:489
 device_add+0xb04/0xf94 drivers/base/core.c:3697
 usb_new_device+0x7f0/0x11c4 drivers/usb/core/hub.c:2659
 hub_port_connect drivers/usb/core/hub.c:5517 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5657 [inline]
 port_event drivers/usb/core/hub.c:5817 [inline]
 hub_event+0x221c/0x3e2c drivers/usb/core/hub.c:5899
 process_one_work+0x7f4/0x13a8 kernel/workqueue.c:2292
 worker_thread+0x8c8/0xfbc kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850

The buggy address belongs to the object at ffff0000dc482e00
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
 128-byte region [ffff0000dc482e00, ffff0000dc482e80)

The buggy address belongs to the physical page:
page:000000005731c847 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c482
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c0002300
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000dc482d00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000dc482d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000dc482e00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
                                                 ^
 ffff0000dc482e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000dc482f00: 06 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/12/18 17:31 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
2025/12/18 17:03 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
2025/12/19 04:22 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
2025/12/19 04:20 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
2025/12/18 20:51 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
2025/12/18 20:50 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
2025/12/18 16:34 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
2025/12/18 16:34 linux-6.1.y 50cbba13faa2 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Write in dtv5100_i2c_msg
* Struck through repros no longer work on HEAD.