From: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
To: heikki.krogerus@linux.intel.com, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show
Date: Sun, 14 Jun 2026 11:22:45 -0400 [thread overview]
Message-ID: <178144969600.60470.6584137935143789620@gmail.com> (raw)
Hi Kernel Maintainers,
I hit the following report while testing current upstream kernel:
KASAN: slab-out-of-bounds in select_usb_power_delivery_show
on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/79c08ada299b3ae37b7a0af292ca413f
I'm happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
[ 102.318332] BUG: KASAN: slab-out-of-bounds in select_usb_power_delivery_show (drivers/usb/typec/class.c:1642)
[ 102.319225] Read of size 8 at addr ffff888117d2f2c0 by task cat/8378
[ 102.319943] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 102.319952] Call Trace:
[ 102.320044] select_usb_power_delivery_show (drivers/usb/typec/class.c:1642)
[ 102.320066] dev_attr_show (drivers/base/core.c:2421)
[ 102.320081] sysfs_kf_seq_show (fs/sysfs/file.c:65)
[ 102.320085] seq_read_iter (fs/seq_file.c:231)
[ 102.320107] vfs_read (fs/read_write.c:493 fs/read_write.c:574)
[ 102.320140] ksys_read (fs/read_write.c:717)
[ 102.320146] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[ 102.320160] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[ 102.334419] Allocated by task 1129 on cpu 0 at 52.398062s:
[ 102.336306] tcpm_fw_get_caps (./include/linux/device/devres.h:59 ./include/linux/device/devres.h:63 drivers/usb/typec/tcpm/tcpm.c:7986)
[ 102.336658] tcpm_register_port (drivers/usb/typec/tcpm/tcpm.c:8519)
[ 102.337014] fusb302_probe (drivers/usb/typec/tcpm/fusb302.c:1759)
[ 102.337349] i2c_device_probe (drivers/i2c/i2c-core-base.c:591)
[ 102.341175] i2c_acpi_add_device (drivers/i2c/i2c-core-acpi.c:291 drivers/i2c/i2c-core-acpi.c:305)
[ 102.342660] i2c_register_adapter (drivers/i2c/i2c-core-base.c:1594)
[ 102.343044] i801_probe (drivers/i2c/busses/i2c-i801.c:1665)
[ 102.347449] The buggy address belongs to the object at ffff888117d2f280
[ 102.347449] which belongs to the cache kmalloc-64 of size 64
[ 102.348432] The buggy address is located 0 bytes to the right of
[ 102.348432] allocated 64-byte region [ffff888117d2f280, ffff888117d2f2c0)
[ 102.376916] Kernel panic - not syncing: KASAN: panic_on_warn set ...
Best,
Shuangpeng
next reply other threads:[~2026-06-14 15:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 15:22 Shuangpeng Bai [this message]
2026-06-14 16:37 ` [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show Greg KH
2026-06-14 17:28 ` Shuangpeng
2026-06-14 17:32 ` Greg KH
2026-06-14 19:11 ` Shuangpeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178144969600.60470.6584137935143789620@gmail.com \
--to=shuangpeng.kernel@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=heikki.krogerus@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox