* [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show @ 2026-06-14 15:22 Shuangpeng Bai 2026-06-14 16:37 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Shuangpeng Bai @ 2026-06-14 15:22 UTC (permalink / raw) To: heikki.krogerus, gregkh, linux-usb, linux-kernel Hi Kernel Maintainers, I hit the following report while testing current upstream kernel: KASAN: slab-out-of-bounds in select_usb_power_delivery_show on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026) The reproducer and .config files are here. https://gist.github.com/shuangpengbai/79c08ada299b3ae37b7a0af292ca413f I'm happy to test debug patches or provide additional information. Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com> [ 102.318332] BUG: KASAN: slab-out-of-bounds in select_usb_power_delivery_show (drivers/usb/typec/class.c:1642) [ 102.319225] Read of size 8 at addr ffff888117d2f2c0 by task cat/8378 [ 102.319943] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 102.319952] Call Trace: [ 102.320044] select_usb_power_delivery_show (drivers/usb/typec/class.c:1642) [ 102.320066] dev_attr_show (drivers/base/core.c:2421) [ 102.320081] sysfs_kf_seq_show (fs/sysfs/file.c:65) [ 102.320085] seq_read_iter (fs/seq_file.c:231) [ 102.320107] vfs_read (fs/read_write.c:493 fs/read_write.c:574) [ 102.320140] ksys_read (fs/read_write.c:717) [ 102.320146] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) [ 102.320160] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) [ 102.334419] Allocated by task 1129 on cpu 0 at 52.398062s: [ 102.336306] tcpm_fw_get_caps (./include/linux/device/devres.h:59 ./include/linux/device/devres.h:63 drivers/usb/typec/tcpm/tcpm.c:7986) [ 102.336658] tcpm_register_port (drivers/usb/typec/tcpm/tcpm.c:8519) [ 102.337014] fusb302_probe (drivers/usb/typec/tcpm/fusb302.c:1759) [ 102.337349] i2c_device_probe (drivers/i2c/i2c-core-base.c:591) [ 102.341175] i2c_acpi_add_device (drivers/i2c/i2c-core-acpi.c:291 drivers/i2c/i2c-core-acpi.c:305) [ 102.342660] i2c_register_adapter (drivers/i2c/i2c-core-base.c:1594) [ 102.343044] i801_probe (drivers/i2c/busses/i2c-i801.c:1665) [ 102.347449] The buggy address belongs to the object at ffff888117d2f280 [ 102.347449] which belongs to the cache kmalloc-64 of size 64 [ 102.348432] The buggy address is located 0 bytes to the right of [ 102.348432] allocated 64-byte region [ffff888117d2f280, ffff888117d2f2c0) [ 102.376916] Kernel panic - not syncing: KASAN: panic_on_warn set ... Best, Shuangpeng ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show 2026-06-14 15:22 [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show Shuangpeng Bai @ 2026-06-14 16:37 ` Greg KH 2026-06-14 17:28 ` Shuangpeng 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2026-06-14 16:37 UTC (permalink / raw) To: Shuangpeng Bai; +Cc: heikki.krogerus, linux-usb, linux-kernel On Sun, Jun 14, 2026 at 11:22:45AM -0400, Shuangpeng Bai wrote: > Hi Kernel Maintainers, > > I hit the following report while testing current upstream kernel: > > KASAN: slab-out-of-bounds in select_usb_power_delivery_show > > on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026) What about the latest tree? > > The reproducer and .config files are here. > https://gist.github.com/shuangpengbai/79c08ada299b3ae37b7a0af292ca413f > > I'm happy to test debug patches or provide additional information. > > Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com> > > [ 102.318332] BUG: KASAN: slab-out-of-bounds in select_usb_power_delivery_show (drivers/usb/typec/class.c:1642) > [ 102.319225] Read of size 8 at addr ffff888117d2f2c0 by task cat/8378 > [ 102.319943] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Does this happen on real hardware, or just on emulated hardware? thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show 2026-06-14 16:37 ` Greg KH @ 2026-06-14 17:28 ` Shuangpeng 2026-06-14 17:32 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Shuangpeng @ 2026-06-14 17:28 UTC (permalink / raw) To: Greg KH; +Cc: heikki.krogerus, linux-usb, linux-kernel > On Jun 14, 2026, at 12:37, Greg KH <gregkh@linuxfoundation.org> wrote: > > On Sun, Jun 14, 2026 at 11:22:45AM -0400, Shuangpeng Bai wrote: >> Hi Kernel Maintainers, >> >> I hit the following report while testing current upstream kernel: >> >> KASAN: slab-out-of-bounds in select_usb_power_delivery_show >> >> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026) > > What about the latest tree? I retested it on the latest Linus tree: 424280953322cf66314f3ba5e2d1ef345f21c770 The same bug still reproduces there. >> >> The reproducer and .config files are here. >> https://gist.github.com/shuangpengbai/79c08ada299b3ae37b7a0af292ca413f >> >> I'm happy to test debug patches or provide additional information. >> >> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com> >> >> [ 102.318332] BUG: KASAN: slab-out-of-bounds in select_usb_power_delivery_show (drivers/usb/typec/class.c:1642) >> [ 102.319225] Read of size 8 at addr ffff888117d2f2c0 by task cat/8378 >> [ 102.319943] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 > > Does this happen on real hardware, or just on emulated hardware? I have only reproduced it in QEMU so far, not on real hardware. The repro uses QEMU to emulate the hardware environment needed to load the FUSB302/TCPM driver path. I have not tested whether the same issue happens on physical hardware. Please let me know if any additional information would be helpful. > > thanks, > > greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show 2026-06-14 17:28 ` Shuangpeng @ 2026-06-14 17:32 ` Greg KH 2026-06-14 19:11 ` Shuangpeng 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2026-06-14 17:32 UTC (permalink / raw) To: Shuangpeng; +Cc: heikki.krogerus, linux-usb, linux-kernel On Sun, Jun 14, 2026 at 01:28:36PM -0400, Shuangpeng wrote: > > > > On Jun 14, 2026, at 12:37, Greg KH <gregkh@linuxfoundation.org> wrote: > > > > On Sun, Jun 14, 2026 at 11:22:45AM -0400, Shuangpeng Bai wrote: > >> Hi Kernel Maintainers, > >> > >> I hit the following report while testing current upstream kernel: > >> > >> KASAN: slab-out-of-bounds in select_usb_power_delivery_show > >> > >> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026) > > > > What about the latest tree? > > I retested it on the latest Linus tree: > > 424280953322cf66314f3ba5e2d1ef345f21c770 > > The same bug still reproduces there. > > >> > >> The reproducer and .config files are here. > >> https://gist.github.com/shuangpengbai/79c08ada299b3ae37b7a0af292ca413f > >> > >> I'm happy to test debug patches or provide additional information. > >> > >> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com> > >> > >> [ 102.318332] BUG: KASAN: slab-out-of-bounds in select_usb_power_delivery_show (drivers/usb/typec/class.c:1642) > >> [ 102.319225] Read of size 8 at addr ffff888117d2f2c0 by task cat/8378 > >> [ 102.319943] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 > > > > Does this happen on real hardware, or just on emulated hardware? > > I have only reproduced it in QEMU so far, not on real hardware. > The repro uses QEMU to emulate the hardware environment needed to load the > FUSB302/TCPM driver path. I have not tested whether the same issue happens on > physical hardware. > > Please let me know if any additional information would be helpful. If you could test on real hardware, that would be best. How do we know that qemu is actually correct? :) thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show 2026-06-14 17:32 ` Greg KH @ 2026-06-14 19:11 ` Shuangpeng 0 siblings, 0 replies; 5+ messages in thread From: Shuangpeng @ 2026-06-14 19:11 UTC (permalink / raw) To: Greg KH; +Cc: heikki.krogerus, linux-usb, linux-kernel > On Jun 14, 2026, at 13:32, Greg KH <gregkh@linuxfoundation.org> wrote: > > On Sun, Jun 14, 2026 at 01:28:36PM -0400, Shuangpeng wrote: >> >> >>> On Jun 14, 2026, at 12:37, Greg KH <gregkh@linuxfoundation.org> wrote: >>> >>> On Sun, Jun 14, 2026 at 11:22:45AM -0400, Shuangpeng Bai wrote: >>>> Hi Kernel Maintainers, >>>> >>>> I hit the following report while testing current upstream kernel: >>>> >>>> KASAN: slab-out-of-bounds in select_usb_power_delivery_show >>>> >>>> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026) >>> >>> What about the latest tree? >> >> I retested it on the latest Linus tree: >> >> 424280953322cf66314f3ba5e2d1ef345f21c770 >> >> The same bug still reproduces there. >> >>>> >>>> The reproducer and .config files are here. >>>> https://gist.github.com/shuangpengbai/79c08ada299b3ae37b7a0af292ca413f >>>> >>>> I'm happy to test debug patches or provide additional information. >>>> >>>> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com> >>>> >>>> [ 102.318332] BUG: KASAN: slab-out-of-bounds in select_usb_power_delivery_show (drivers/usb/typec/class.c:1642) >>>> [ 102.319225] Read of size 8 at addr ffff888117d2f2c0 by task cat/8378 >>>> [ 102.319943] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 >>> >>> Does this happen on real hardware, or just on emulated hardware? >> >> I have only reproduced it in QEMU so far, not on real hardware. >> The repro uses QEMU to emulate the hardware environment needed to load the >> FUSB302/TCPM driver path. I have not tested whether the same issue happens on >> physical hardware. >> >> Please let me know if any additional information would be helpful. > > If you could test on real hardware, that would be best. How do we know > that qemu is actually correct? :) Thanks for the clarification, that makes sense. Unfortunately, I do not have real FUSB302/TCPM hardware available to test this on, so I cannot confirm whether it happens on physical hardware. > thanks, > > greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-14 19:11 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-14 15:22 [BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show Shuangpeng Bai 2026-06-14 16:37 ` Greg KH 2026-06-14 17:28 ` Shuangpeng 2026-06-14 17:32 ` Greg KH 2026-06-14 19:11 ` Shuangpeng
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox