[BUG] KASAN: slab-out-of-bounds in rmi_create

Linux Input/HID development
 help / color / mirror / Atom feed

* [BUG] KASAN: slab-out-of-bounds in rmi_create_function
@ 2026-06-14 15:16 Shuangpeng Bai
  0 siblings, 0 replies; only message in thread
From: Shuangpeng Bai @ 2026-06-14 15:16 UTC (permalink / raw)
  To: dmitry.torokhov, linux-input, linux-kernel

Hi Kernel Maintainers,

I hit the following report while testing current upstream kernel:

KASAN: slab-out-of-bounds in rmi_create_function

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

To help trigger the bug more reliably, we applied a minimal diagnostic patch
that only adds delays and print statements.

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/6f392317d13655f16a8983fe1587dbcc

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>

[  128.210187][   T10] BUG: KASAN: slab-out-of-bounds in rmi_create_function (include/linux/instrumented.h:97 include/asm-generic/bitops/instrumented-atomic.h:28 drivers/input/rmi4/rmi_driver.c:861)
[  128.210768][   T10] Write of size 8 at addr ffff888178e09b50 by task kworker/0:1/10
[  128.211308][   T10]
[  128.211489][   T10] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  128.211492][   T10] Workqueue: events acpi_table_events_fn
[  128.211499][   T10] Call Trace:
[  128.211501][   T10]  <TASK>
[  128.211503][   T10]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  128.211508][   T10]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[  128.211520][   T10]  kasan_report (mm/kasan/report.c:595)
[  128.211526][   T10]  kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:200)
[  128.211530][   T10]  rmi_create_function (include/linux/instrumented.h:97 include/asm-generic/bitops/instrumented-atomic.h:28 drivers/input/rmi4/rmi_driver.c:861)
[  128.211533][   T10]  rmi_scan_pdt (drivers/input/rmi4/rmi_driver.c:525 drivers/input/rmi4/rmi_driver.c:552)
[  128.211549][   T10]  rmi_init_functions (drivers/input/rmi4/rmi_driver.c:1074)
[  128.211565][   T10]  rmi_driver_probe (drivers/input/rmi4/rmi_driver.c:1207)
[  128.211569][   T10]  really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[  128.211571][   T10]  __driver_probe_device (drivers/base/dd.c:871)
[  128.211579][   T10]  driver_probe_device (drivers/base/dd.c:901)
[  128.211581][   T10]  __device_attach_driver (drivers/base/dd.c:1029)
[  128.211587][   T10]  bus_for_each_drv (drivers/base/bus.c:500)
[  128.211600][   T10]  __device_attach (drivers/base/dd.c:1101)
[  128.211613][   T10]  device_initial_probe (drivers/base/dd.c:1156)
[  128.211616][   T10]  bus_probe_device (drivers/base/bus.c:613)
[  128.211619][   T10]  device_add (drivers/base/core.c:3706)
[  128.211623][   T10]  rmi_register_transport_device (drivers/input/rmi4/rmi_bus.c:98)
[  128.211626][   T10]  rmi_spi_probe (drivers/input/rmi4/rmi_spi.c:435)
[  128.211629][   T10]  really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[  128.211631][   T10]  __driver_probe_device (drivers/base/dd.c:871)
[  128.211634][   T10]  driver_probe_device (drivers/base/dd.c:901)
[  128.211636][   T10]  __device_attach_driver (drivers/base/dd.c:1029)
[  128.211641][   T10]  bus_for_each_drv (drivers/base/bus.c:500)
[  128.211653][   T10]  __device_attach (drivers/base/dd.c:1101)
[  128.211671][   T10]  device_initial_probe (drivers/base/dd.c:1156)
[  128.211674][   T10]  bus_probe_device (drivers/base/bus.c:613)
[  128.211676][   T10]  device_add (drivers/base/core.c:3706)
[  128.211679][   T10]  __spi_add_device (drivers/spi/spi.c:756)
[  128.211689][   T10]  acpi_register_spi_device (drivers/spi/spi.c:786 drivers/spi/spi.c:3055)
[  128.211697][   T10]  acpi_spi_notify (drivers/spi/spi.c:5093)
[  128.211699][   T10]  notifier_call_chain (kernel/notifier.c:85)
[  128.211702][   T10]  blocking_notifier_call_chain (kernel/notifier.c:380)
[  128.211705][   T10]  acpi_generic_device_attach (drivers/acpi/scan.c:2297)
[  128.211710][   T10]  acpi_bus_attach (drivers/acpi/scan.c:2323 drivers/acpi/scan.c:2372)
[  128.211740][   T10]  device_for_each_child (drivers/base/core.c:4035)
[  128.211751][   T10]  acpi_dev_for_each_child (drivers/acpi/bus.c:1208)
[  128.211761][   T10]  acpi_bus_attach (drivers/acpi/scan.c:2393)
[  128.211776][   T10]  device_for_each_child (drivers/base/core.c:4035)
[  128.211787][   T10]  acpi_dev_for_each_child (drivers/acpi/bus.c:1208)
[  128.211797][   T10]  acpi_bus_attach (drivers/acpi/scan.c:2393)
[  128.211816][   T10]  device_for_each_child (drivers/base/core.c:4035)
[  128.211827][   T10]  acpi_dev_for_each_child (drivers/acpi/bus.c:1208)
[  128.211839][   T10]  acpi_bus_attach (drivers/acpi/scan.c:2393)
[  128.211859][   T10]  acpi_bus_scan (drivers/acpi/scan.c:2743)
[  128.211871][   T10]  acpi_table_events_fn (drivers/acpi/scan.c:2933)
[  128.211874][   T10]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[  128.211879][   T10]  worker_thread (kernel/workqueue.c:3478)
[  128.211884][   T10]  kthread (kernel/kthread.c:436)
[  128.211891][   T10]  ret_from_fork (kernel/process.c:158)
[  128.211902][   T10]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)


Best,
Shuangpeng

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-14 15:16 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-14 15:16 [BUG] KASAN: slab-out-of-bounds in rmi_create_function Shuangpeng Bai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox