KASAN: slab-out-of-bounds Write in betop

Title	Replies (including bot)	Last reply
[PATCH 4.14 00/75] 4.14.249-rc1 review	81 (81)	2021/10/07 16:21
[PATCH AUTOSEL 5.14 01/40] ext4: check and update i_disksize properly	44 (44)	2021/10/06 15:12
[PATCH 5.4 00/56] 5.4.151-rc1 review	62 (62)	2021/10/05 06:56
[PATCH 4.9 00/57] 4.9.285-rc1 review	62 (62)	2021/10/05 06:54
[PATCH 4.19 00/95] 4.19.209-rc1 review	103 (103)	2021/10/05 06:47
[PATCH 5.14 000/172] 5.14.10-rc1 review	184 (184)	2021/10/05 06:41
[PATCH 5.10 00/93] 5.10.71-rc1 review	100 (100)	2021/10/05 02:40
[PATCH 4.4 00/41] 4.4.286-rc1 review	45 (45)	2021/10/05 02:13
[PATCH] fix slab-out-of-bounds Write in betop_probe	10 (10)	2021/09/15 14:31
KASAN: slab-out-of-bounds Write in betop_probe	2 (3)	2020/05/05 13:44

Title

Replies (including bot)

Last reply

[PATCH 4.14 00/75] 4.14.249-rc1 review

81 (81)

2021/10/07 16:21

[PATCH AUTOSEL 5.14 01/40] ext4: check and update i_disksize properly

44 (44)

2021/10/06 15:12

[PATCH 5.4 00/56] 5.4.151-rc1 review

62 (62)

2021/10/05 06:56

[PATCH 4.9 00/57] 4.9.285-rc1 review

62 (62)

2021/10/05 06:54

[PATCH 4.19 00/95] 4.19.209-rc1 review

103 (103)

2021/10/05 06:47

[PATCH 5.14 000/172] 5.14.10-rc1 review

184 (184)

2021/10/05 06:41

[PATCH 5.10 00/93] 5.10.71-rc1 review

100 (100)

2021/10/05 02:40

[PATCH 4.4 00/41] 4.4.286-rc1 review

45 (45)

2021/10/05 02:13

[PATCH] fix slab-out-of-bounds Write in betop_probe

10 (10)

2021/09/15 14:31

KASAN: slab-out-of-bounds Write in betop_probe

2 (3)

2020/05/05 13:44

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-54	KASAN: slab-out-of-bounds Write in betop_probe	C			1	1140d	1140d	0/2	auto-obsoleted due to no activity on 2022/08/27 00:12

android-54

KASAN: slab-out-of-bounds Write in betop_probe

1140d

0/2

auto-obsoleted due to no activity on 2022/08/27 00:12


Created	Duration	User	Patch	Repo	Result
2021/08/24 12:04	0m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/24 10:19	12m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	report log
2021/08/24 10:04	5m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/16 11:36	0m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/16 11:34	0m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/16 11:32	0m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	error
2021/08/15 15:53	10m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	report log
2021/08/14 22:02	15m	asha.16@itfac.mrt.ac.lk	patch	https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	OK
2021/08/13 19:57	14m	asha.16@itfac.mrt.ac.lk		https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master	report log

Created	Duration	User	Patch	Repo	Result
2021/08/20 01:34	20m	bisect fix		upstream	job log (0) log

Created

Duration

User

Patch

Repo

Result

2021/08/20 01:34

20m

bisect fix

upstream

job log (0) log

usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9 usb 1-1: New USB device found, idVendor=11c0, idProduct=5506, bcdDevice= 0.00 usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 usb 1-1: config 0 descriptor?? betop 0003:11C0:5506.0001: hidraw0: USB HID v0.00 Device [HID 11c0:5506] on usb-dummy_hcd.0-1/input0 ================================================================== BUG: KASAN: slab-out-of-bounds in instrument_atomic_write include/linux/instrumented.h:86 [inline] BUG: KASAN: slab-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline] BUG: KASAN: slab-out-of-bounds in betopff_init drivers/hid/hid-betopff.c:99 [inline] BUG: KASAN: slab-out-of-bounds in betop_probe+0x3bb/0x5e0 drivers/hid/hid-betopff.c:134 Write of size 8 at addr ffff8880166964c0 by task kworker/0:3/3160 CPU: 0 PID: 3160 Comm: kworker/0:3 Not tainted 5.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x2d6 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_write include/linux/instrumented.h:86 [inline] set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline] betopff_init drivers/hid/hid-betopff.c:99 [inline] betop_probe+0x3bb/0x5e0 drivers/hid/hid-betopff.c:134 hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2287 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3352 hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2439 usbhid_probe+0xba9/0x10b0 drivers/hid/usbhid/hid-core.c:1417 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3352 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3352 usb_new_device.cold+0x63f/0x108e drivers/usb/core/hub.c:2559 hub_port_connect drivers/usb/core/hub.c:5300 [inline] hub_port_connect_change drivers/usb/core/hub.c:5440 [inline] port_event drivers/usb/core/hub.c:5586 [inline] hub_event+0x2357/0x4330 drivers/usb/core/hub.c:5668 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 3160: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0x98/0xc0 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] kmem_cache_alloc_trace+0x1e4/0x480 mm/slab.c:3575 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] hidraw_connect+0x4b/0x440 drivers/hid/hidraw.c:543 hid_connect+0x5be/0xbc0 drivers/hid/hid-core.c:1960 hid_hw_start drivers/hid/hid-core.c:2059 [inline] hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:2050 betop_probe+0xce/0x5e0 drivers/hid/hid-betopff.c:128 hid_device_probe+0x2bd/0x3f0 drivers/hid/hid-core.c:2287 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3352 hid_add_device+0x344/0x9d0 drivers/hid/hid-core.c:2439 usbhid_probe+0xba9/0x10b0 drivers/hid/usbhid/hid-core.c:1417 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3352 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3352 usb_new_device.cold+0x63f/0x108e drivers/usb/core/hub.c:2559 hub_port_connect drivers/usb/core/hub.c:5300 [inline] hub_port_connect_change drivers/usb/core/hub.c:5440 [inline] port_event drivers/usb/core/hub.c:5586 [inline] hub_event+0x2357/0x4330 drivers/usb/core/hub.c:5668 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xa4/0xd0 mm/kasan/generic.c:348 insert_work+0x48/0x370 kernel/workqueue.c:1332 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498 queue_work_on+0xee/0x110 kernel/workqueue.c:1525 queue_work include/linux/workqueue.h:507 [inline] call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208 uevent_store+0x20/0x50 drivers/base/core.c:2370 dev_attr_store+0x50/0x80 drivers/base/core.c:2071 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2114 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x75a/0xa40 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Second to last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xa4/0xd0 mm/kasan/generic.c:348 insert_work+0x48/0x370 kernel/workqueue.c:1332 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498 queue_work_on+0xee/0x110 kernel/workqueue.c:1525 queue_work include/linux/workqueue.h:507 [inline] call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208 uevent_store+0x20/0x50 drivers/base/core.c:2370 dev_attr_store+0x50/0x80 drivers/base/core.c:2071 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2114 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x75a/0xa40 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888016696400 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 0 bytes to the right of 192-byte region [ffff888016696400, ffff8880166964c0) The buggy address belongs to the page: page:ffffea000059a580 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888016696600 pfn:0x16696 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea00005c31c8 ffffea000066e4c8 ffff888010840000 raw: ffff888016696600 ffff888016696000 0000000100000007 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 2611248540, free_ts 0 prep_new_page mm/page_alloc.c:2433 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4166 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5388 __alloc_pages_node include/linux/gfp.h:570 [inline] kmem_getpages mm/slab.c:1377 [inline] cache_grow_begin+0x75/0x460 mm/slab.c:2593 cache_alloc_refill+0x27f/0x380 mm/slab.c:2965 ____cache_alloc mm/slab.c:3048 [inline] ____cache_alloc mm/slab.c:3031 [inline] __do_cache_alloc mm/slab.c:3275 [inline] slab_alloc mm/slab.c:3316 [inline] kmem_cache_alloc_trace+0x38c/0x480 mm/slab.c:3573 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] call_usermodehelper_setup+0x9d/0x340 kernel/umh.c:365 kobject_uevent_env+0xf73/0x1650 lib/kobject_uevent.c:614 kernel_add_sysfs_param kernel/params.c:798 [inline] param_sysfs_builtin kernel/params.c:833 [inline] param_sysfs_init+0x3bf/0x498 kernel/params.c:952 do_one_initcall+0x103/0x650 init/main.c:1282 do_initcall_level init/main.c:1355 [inline] do_initcalls init/main.c:1371 [inline] do_basic_setup init/main.c:1391 [inline] kernel_init_freeable+0x6b8/0x741 init/main.c:1593 kernel_init+0x1a/0x1d0 init/main.c:1485 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 page_owner free stack trace missing Memory state around the buggy address: ffff888016696380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888016696400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888016696480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff888016696500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888016696580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc f

Crashes (9):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager	Title
2021/07/19 17:43	upstream	2734d6c1b1a0	e6a17580	.config	console log	report	syz	C	ci-upstream-kasan-gce-selinux-root	KASAN: slab-out-of-bounds Write in betop_probe
2021/06/06 20:38	upstream	f5b6eb1e0182	500c2339	.config	console log	report	syz	C	ci-upstream-kasan-gce-smack-root	KASAN: slab-out-of-bounds Write in betop_probe
2021/06/27 22:28	linux-next	a1f92694393a	9d2ab5df	.config	console log	report	syz	C	ci-upstream-linux-next-kasan-gce-root	KASAN: slab-out-of-bounds Write in betop_probe
2020/12/13 17:49	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	a256e24021bf	bca53db9	.config	console log	report	syz	C	ci2-upstream-usb
2020/05/14 02:05	https://github.com/google/kasan.git usb-fuzzer	059e7e0ff26c	a885920d	.config	console log	report	syz	C	ci2-upstream-usb
2020/04/25 06:08	https://github.com/google/kasan.git usb-fuzzer	059e7e0ff26c	03d97a1b	.config	console log	report	syz	C	ci2-upstream-usb
2020/04/23 18:00	https://github.com/google/kasan.git usb-fuzzer	e9010320f2d9	b9233cab	.config	console log	report	syz	C	ci2-upstream-usb
2020/03/02 04:39	https://github.com/google/kasan.git usb-fuzzer	d6ff8147a51c	4a4e0509	.config	console log	report	syz	C	ci2-upstream-usb
2020/02/10 08:50	https://github.com/google/kasan.git usb-fuzzer	e5cd56e94edd	35f5e45e	.config	console log	report	syz	C	ci2-upstream-usb

Crashes (9):