syzbot

 sign-in | mailing list | source | docs
🐞 Open [987] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12505] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

WARNING in __i2c_transfer (2)

Status: fixed on 2022/03/08 16:11
Subsystems: i2c
[Documentation on labels]
Reported-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
Fix commit: bb436283e25a i2c: validate user data in compat ioctl
First crash: 895d, last: 843d
Cause bisection: introduced by (bisect log) :
commit f90cf6079bf67988f8b1ad1ade70fc89d0080905
Author: Daniel W. S. Almeida <dwlsalmeida@gmail.com>
Date: Fri Aug 21 12:58:47 2020 +0000

  media: vidtv: add a bridge driver

Crash: WARNING in __i2c_transfer (log)
Repro: C syz .config
  
Discussions (6)
Title Replies (including bot) Last reply
[PATCH 4.19 00/27] 4.19.224-rc1 review 32 (32) 2022/01/04 15:51
[PATCH 5.15 00/73] 5.15.13-rc1 review 79 (79) 2022/01/04 07:33
[PATCH 5.4 00/37] 5.4.170-rc1 review 42 (42) 2022/01/04 06:28
[PATCH 5.10 00/48] 5.10.90-rc1 review 52 (52) 2022/01/04 05:43
[PATCH] i2c: don't pass 0 nmsgs to i2c_transfer 6 (6) 2021/12/31 13:31
[syzbot] WARNING in __i2c_transfer (2) 1 (5) 2021/12/25 12:50
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING in __i2c_transfer i2c C done 2847 897d 1140d 20/26 fixed on 2021/11/10 00:50
Last patch testing requests (1)
Created Duration User Patch Repo Result
2021/12/25 12:39 9m paskripkin@gmail.com patch upstream OK

Sample crash report:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3603 at drivers/i2c/i2c-core-base.c:2178 __i2c_transfer+0xa14/0x17c0 drivers/i2c/i2c-core-base.c:2178 drivers/i2c/i2c-core-base.c:2178
Modules linked in:
CPU: 1 PID: 3603 Comm: syz-executor029 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__i2c_transfer+0xa14/0x17c0 drivers/i2c/i2c-core-base.c:2178 drivers/i2c/i2c-core-base.c:2178
Code: 0f 94 c7 31 ff 44 89 fe e8 e9 ab 9b fb 45 84 ff 0f 84 26 fd ff ff e8 fb a7 9b fb e8 65 3b 24 fb e9 17 fd ff ff e8 ec a7 9b fb <0f> 0b 41 bc ea ff ff ff e9 9e fd ff ff e8 da a7 9b fb 44 89 ee bf
RSP: 0018:ffffc90002aafce8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000010 RCX: 0000000000000000
RDX: ffff88801c0f3a00 RSI: ffffffff85dc09e4 RDI: 0000000000000003
RBP: ffff88814a058b58 R08: 0000000000000000 R09: ffffffff8ff74ac7
R10: ffffffff85dc0008 R11: 0000000000000000 R12: 0000000000000010
R13: 0000000000000000 R14: ffff88814a058b78 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0063) knlGS:0000000056cc62c0
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000000773de000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 i2c_transfer+0x1e6/0x3e0 drivers/i2c/i2c-core-base.c:2269 drivers/i2c/i2c-core-base.c:2269
 i2cdev_ioctl_rdwr+0x583/0x6a0 drivers/i2c/i2c-dev.c:297 drivers/i2c/i2c-dev.c:297
 compat_i2cdev_ioctl+0x419/0x4f0 drivers/i2c/i2c-dev.c:561 drivers/i2c/i2c-dev.c:561
 __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972 fs/ioctl.c:972
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] arch/x86/entry/common.c:178
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
RIP: 0023:0xf7e6e549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000fffc8b7c EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000707
RDX: 00000000200003c0 RSI: 00000000fffc8bd0 RDI: 00000000f7f15000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	03 74 c0 01          	add    0x1(%rax,%rax,8),%esi
   4:	10 05 03 74 b8 01    	adc    %al,0x1b87403(%rip)        # 0x1b8740d
   a:	10 06                	adc    %al,(%rsi)
   c:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
  10:	10 07                	adc    %al,(%rdi)
  12:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
  16:	10 08                	adc    %cl,(%rax)
  18:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1c:	00 00                	add    %al,(%rax)
  1e:	00 00                	add    %al,(%rax)
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:	89 e5                	mov    %esp,%ebp
  26:	0f 34                	sysenter
  28:	cd 80                	int    $0x80
* 2a:	5d                   	pop    %rbp <-- trapping instruction
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	retq
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  39:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
----------------
Code disassembly (best guess):
   0:	03 74 c0 01          	add    0x1(%rax,%rax,8),%esi
   4:	10 05 03 74 b8 01    	adc    %al,0x1b87403(%rip)        # 0x1b8740d
   a:	10 06                	adc    %al,(%rsi)
   c:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
  10:	10 07                	adc    %al,(%rdi)
  12:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
  16:	10 08                	adc    %cl,(%rax)
  18:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1c:	00 00                	add    %al,(%rax)
  1e:	00 00                	add    %al,(%rax)
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:	89 e5                	mov    %esp,%ebp
  26:	0f 34                	sysenter
  28:	cd 80                	int    $0x80
* 2a:	5d                   	pop    %rbp <-- trapping instruction
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	retq
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  39:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi

Crashes (337):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/12/19 08:20 upstream 9eaa88c7036e 44068e19 .config console log report syz C ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/07 22:05 upstream cd8c917a56f2 0230ba3e .config console log report syz C ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/03 04:08 upstream 1286cc4893cf e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/03 02:12 upstream 1286cc4893cf e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/02 22:04 upstream 1286cc4893cf e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/02 11:23 upstream 278218f6778b e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/02 06:33 upstream 278218f6778b e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/02 02:48 upstream 278218f6778b e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/02 01:35 upstream 278218f6778b e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/01 18:32 upstream 800829388818 e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/01 17:04 upstream 800829388818 e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/01 12:11 upstream 800829388818 e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/01 04:18 upstream 4f3d93c6eaff e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2022/01/01 00:16 upstream 4f3d93c6eaff e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/31 23:51 upstream 4f3d93c6eaff e1768e9c .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/31 16:30 upstream 4f3d93c6eaff 36bd2e48 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/31 09:57 upstream 74c78b4291b4 36bd2e48 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/31 07:29 upstream 74c78b4291b4 36bd2e48 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/31 05:02 upstream 74c78b4291b4 36bd2e48 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/31 03:19 upstream 74c78b4291b4 36bd2e48 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/30 21:08 upstream eec4df26e24e 2e49f10d .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/30 19:38 upstream eec4df26e24e 2e49f10d .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/29 21:24 upstream e7c124bd0463 6cc879d4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/29 19:36 upstream e7c124bd0463 6cc879d4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/29 19:32 upstream e7c124bd0463 6cc879d4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/29 18:12 upstream e7c124bd0463 6cc879d4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/29 10:04 upstream ecf71de775a0 76c8cf06 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/29 08:41 upstream ecf71de775a0 76c8cf06 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/28 19:30 upstream a8ad9a2434dc 76c8cf06 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/28 13:25 upstream a8ad9a2434dc 6b3c5e64 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/28 12:19 upstream a8ad9a2434dc 6b3c5e64 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/28 06:34 upstream a8ad9a2434dc 6b3c5e64 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/28 05:13 upstream a8ad9a2434dc 6b3c5e64 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/28 00:18 upstream a8ad9a2434dc 5140bd58 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/27 22:58 upstream a8ad9a2434dc 5140bd58 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/27 19:56 upstream a8ad9a2434dc 5140bd58 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/26 22:06 upstream 438645193e59 e4f103c4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/26 16:10 upstream 438645193e59 e4f103c4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/26 12:45 upstream 438645193e59 e4f103c4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/26 12:38 upstream 438645193e59 e4f103c4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/26 06:43 upstream e2ae0d4a6b0b 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/26 05:33 upstream e2ae0d4a6b0b 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/26 00:12 upstream e2ae0d4a6b0b 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/25 20:33 upstream b927dfc67d05 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/25 19:09 upstream b927dfc67d05 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/25 14:25 upstream b927dfc67d05 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/25 07:31 upstream b927dfc67d05 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/25 04:20 upstream b927dfc67d05 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/25 04:02 upstream b927dfc67d05 6caa12e4 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/12/07 11:19 upstream f80ef9e49fdf 0230ba3e .config console log report info ci-qemu-upstream-386 WARNING in __i2c_transfer
2021/11/14 20:12 upstream c8c109546a19 83f5c9b5 .config console log report info ci-upstream-kasan-gce-386 WARNING in __i2c_transfer
2021/11/11 12:08 upstream debe436e77c7 75b04091 .config console log report info ci-qemu-upstream-386 WARNING in __i2c_transfer
* Struck through repros no longer work on HEAD.