From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
To: dmitry.torokhov@gmail.com, linux-input@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [BUG] KASAN: slab-out-of-bounds in rmi_create_function
Date: Sun, 14 Jun 2026 11:16:02 -0400 [thread overview]
Message-ID: <178144969600.60470.6869216573402531557@gmail.com> (raw)
Hi Kernel Maintainers,
I hit the following report while testing current upstream kernel:
KASAN: slab-out-of-bounds in rmi_create_function
on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
To help trigger the bug more reliably, we applied a minimal diagnostic patch
that only adds delays and print statements.
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/6f392317d13655f16a8983fe1587dbcc
I'm happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ 128.210187][ T10] BUG: KASAN: slab-out-of-bounds in rmi_create_function (include/linux/instrumented.h:97 include/asm-generic/bitops/instrumented-atomic.h:28 drivers/input/rmi4/rmi_driver.c:861)
[ 128.210768][ T10] Write of size 8 at addr ffff888178e09b50 by task kworker/0:1/10
[ 128.211308][ T10]
[ 128.211489][ T10] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 128.211492][ T10] Workqueue: events acpi_table_events_fn
[ 128.211499][ T10] Call Trace:
[ 128.211501][ T10] <TASK>
[ 128.211503][ T10] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 128.211508][ T10] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 128.211520][ T10] kasan_report (mm/kasan/report.c:595)
[ 128.211526][ T10] kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:200)
[ 128.211530][ T10] rmi_create_function (include/linux/instrumented.h:97 include/asm-generic/bitops/instrumented-atomic.h:28 drivers/input/rmi4/rmi_driver.c:861)
[ 128.211533][ T10] rmi_scan_pdt (drivers/input/rmi4/rmi_driver.c:525 drivers/input/rmi4/rmi_driver.c:552)
[ 128.211549][ T10] rmi_init_functions (drivers/input/rmi4/rmi_driver.c:1074)
[ 128.211565][ T10] rmi_driver_probe (drivers/input/rmi4/rmi_driver.c:1207)
[ 128.211569][ T10] really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[ 128.211571][ T10] __driver_probe_device (drivers/base/dd.c:871)
[ 128.211579][ T10] driver_probe_device (drivers/base/dd.c:901)
[ 128.211581][ T10] __device_attach_driver (drivers/base/dd.c:1029)
[ 128.211587][ T10] bus_for_each_drv (drivers/base/bus.c:500)
[ 128.211600][ T10] __device_attach (drivers/base/dd.c:1101)
[ 128.211613][ T10] device_initial_probe (drivers/base/dd.c:1156)
[ 128.211616][ T10] bus_probe_device (drivers/base/bus.c:613)
[ 128.211619][ T10] device_add (drivers/base/core.c:3706)
[ 128.211623][ T10] rmi_register_transport_device (drivers/input/rmi4/rmi_bus.c:98)
[ 128.211626][ T10] rmi_spi_probe (drivers/input/rmi4/rmi_spi.c:435)
[ 128.211629][ T10] really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[ 128.211631][ T10] __driver_probe_device (drivers/base/dd.c:871)
[ 128.211634][ T10] driver_probe_device (drivers/base/dd.c:901)
[ 128.211636][ T10] __device_attach_driver (drivers/base/dd.c:1029)
[ 128.211641][ T10] bus_for_each_drv (drivers/base/bus.c:500)
[ 128.211653][ T10] __device_attach (drivers/base/dd.c:1101)
[ 128.211671][ T10] device_initial_probe (drivers/base/dd.c:1156)
[ 128.211674][ T10] bus_probe_device (drivers/base/bus.c:613)
[ 128.211676][ T10] device_add (drivers/base/core.c:3706)
[ 128.211679][ T10] __spi_add_device (drivers/spi/spi.c:756)
[ 128.211689][ T10] acpi_register_spi_device (drivers/spi/spi.c:786 drivers/spi/spi.c:3055)
[ 128.211697][ T10] acpi_spi_notify (drivers/spi/spi.c:5093)
[ 128.211699][ T10] notifier_call_chain (kernel/notifier.c:85)
[ 128.211702][ T10] blocking_notifier_call_chain (kernel/notifier.c:380)
[ 128.211705][ T10] acpi_generic_device_attach (drivers/acpi/scan.c:2297)
[ 128.211710][ T10] acpi_bus_attach (drivers/acpi/scan.c:2323 drivers/acpi/scan.c:2372)
[ 128.211740][ T10] device_for_each_child (drivers/base/core.c:4035)
[ 128.211751][ T10] acpi_dev_for_each_child (drivers/acpi/bus.c:1208)
[ 128.211761][ T10] acpi_bus_attach (drivers/acpi/scan.c:2393)
[ 128.211776][ T10] device_for_each_child (drivers/base/core.c:4035)
[ 128.211787][ T10] acpi_dev_for_each_child (drivers/acpi/bus.c:1208)
[ 128.211797][ T10] acpi_bus_attach (drivers/acpi/scan.c:2393)
[ 128.211816][ T10] device_for_each_child (drivers/base/core.c:4035)
[ 128.211827][ T10] acpi_dev_for_each_child (drivers/acpi/bus.c:1208)
[ 128.211839][ T10] acpi_bus_attach (drivers/acpi/scan.c:2393)
[ 128.211859][ T10] acpi_bus_scan (drivers/acpi/scan.c:2743)
[ 128.211871][ T10] acpi_table_events_fn (drivers/acpi/scan.c:2933)
[ 128.211874][ T10] process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[ 128.211879][ T10] worker_thread (kernel/workqueue.c:3478)
[ 128.211884][ T10] kthread (kernel/kthread.c:436)
[ 128.211891][ T10] ret_from_fork (kernel/process.c:158)
[ 128.211902][ T10] ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
Best,
Shuangpeng
reply other threads:[~2026-06-14 15:16 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178144969600.60470.6869216573402531557@gmail.com \
--to=shuangpeng.kernel@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox