* [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2)
@ 2025-10-13 4:00 syzbot
2025-10-14 15:20 ` syzbot
0 siblings, 1 reply; 8+ messages in thread
From: syzbot @ 2025-10-13 4:00 UTC (permalink / raw)
To: bentiss, jikos, linux-input, linux-kernel, linux-usb,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ec714e371f22 Merge tag 'perf-tools-for-v6.18-1-2025-10-08'..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15400dcd980000
kernel config: https://syzkaller.appspot.com/x/.config?x=61ab7fa743df0ec1
dashboard link: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4067604ee40d/disk-ec714e37.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6683059d243f/vmlinux-ec714e37.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fcbc710a7633/bzImage-ec714e37.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1018672fe70298606e5f@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x106a/0x1240 drivers/hid/hid-mcp2221.c:948
Read of size 1 at addr ffff88806c49ffff by task kworker/1:4/5894
CPU: 1 UID: 0 PID: 5894 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
mcp2221_raw_event+0x106a/0x1240 drivers/hid/hid-mcp2221.c:948
__hid_input_report drivers/hid/hid-core.c:2139 [inline]
hid_input_report+0x40a/0x520 drivers/hid/hid-core.c:2166
hid_irq_in+0x47e/0x6d0 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x373/0x540 drivers/usb/core/hcd.c:1661
dummy_timer+0x85f/0x44c0 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1841
hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1858
handle_softirqs+0x283/0x870 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:orc_ip arch/x86/kernel/unwind_orc.c:80 [inline]
RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:102 [inline]
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:227 [inline]
RIP: 0010:unwind_next_frame+0x130e/0x2390 arch/x86/kernel/unwind_orc.c:494
Code: c1 e8 3f 48 01 c8 48 83 e0 fe 4c 8d 3c 45 00 00 00 00 49 01 ef 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 <84> c0 75 27 49 63 07 4c 01 f8 49 8d 4f 04 4c 39 e0 48 0f 46 e9 49
RSP: 0018:ffffc9000450d6d8 EFLAGS: 00000a07
RAX: 0000000000000000 RBX: ffffffff8fe36e54 RCX: dffffc0000000000
RDX: ffffffff8fe36e54 RSI: ffffffff90773ada RDI: ffffffff8bc07480
RBP: ffffffff8fe36e54 R08: 0000000000000001 R09: ffffffff81731d25
R10: ffffc9000450d7f8 R11: ffffffff81abbce0 R12: ffffffff85ccc8e0
R13: ffffffff8fe36e54 R14: ffffc9000450d7a8 R15: ffffffff8fe36e54
arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__kmalloc_cache_noprof+0x3d5/0x6f0 mm/slub.c:5724
kmalloc_noprof include/linux/slab.h:957 [inline]
add_stack_record_to_list mm/page_owner.c:172 [inline]
inc_stack_record_count mm/page_owner.c:214 [inline]
__set_page_owner+0x25c/0x4a0 mm/page_owner.c:333
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3030 [inline]
allocate_slab+0x96/0x3a0 mm/slub.c:3203
new_slab mm/slub.c:3257 [inline]
___slab_alloc+0xe94/0x1920 mm/slub.c:4627
__slab_alloc+0x65/0x100 mm/slub.c:4746
__slab_alloc_node mm/slub.c:4822 [inline]
slab_alloc_node mm/slub.c:5233 [inline]
kmem_cache_alloc_noprof+0x3f9/0x6e0 mm/slub.c:5252
__kernfs_new_node+0xd7/0x7e0 fs/kernfs/dir.c:637
kernfs_new_node+0x102/0x210 fs/kernfs/dir.c:713
__kernfs_create_file+0x4b/0x2e0 fs/kernfs/file.c:1057
sysfs_add_file_mode_ns+0x238/0x300 fs/sysfs/file.c:313
sysfs_create_file_ns+0x128/0x1a0 fs/sysfs/file.c:374
device_add+0x5d2/0xb50 drivers/base/core.c:3655
cdev_device_add+0x1d6/0x390 fs/char_dev.c:556
i2cdev_attach_adapter+0x2ed/0x4e0 drivers/i2c/i2c-dev.c:691
notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
blocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:380
bus_notify+0x143/0x180 drivers/base/bus.c:1001
device_add+0x54d/0xb50 drivers/base/core.c:3669
i2c_register_adapter+0x4f1/0x10f0 drivers/i2c/i2c-core-base.c:1573
devm_i2c_add_adapter+0x1b/0x80 drivers/i2c/i2c-core-base.c:1845
mcp2221_probe+0x404/0x880 drivers/hid/hid-mcp2221.c:1289
__hid_device_probe drivers/hid/hid-core.c:2775 [inline]
hid_device_probe+0x416/0x7a0 drivers/hid/hid-core.c:2812
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
hid_add_device+0x272/0x3e0 drivers/hid/hid-core.c:2951
usbhid_probe+0xe13/0x12a0 drivers/hid/usbhid/hid-core.c:1435
usb_probe_interface+0x665/0xc30 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2958/0x4a20 drivers/usb/core/hub.c:5952
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6100:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
unpoison_slab_object mm/kasan/common.c:342 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:368
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4946 [inline]
slab_alloc_node mm/slub.c:5245 [inline]
kmem_cache_alloc_node_noprof+0x433/0x710 mm/slub.c:5297
kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:579
__alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_uevent_skb+0x7d/0x230 lib/kobject_uevent.c:289
uevent_net_broadcast_tagged lib/kobject_uevent.c:352 [inline]
kobject_uevent_net_broadcast+0x184/0x560 lib/kobject_uevent.c:413
kobject_uevent_env+0x55b/0x8c0 lib/kobject_uevent.c:608
__kobject_del+0xd2/0x300 lib/kobject.c:601
kobject_cleanup lib/kobject.c:680 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x243/0x480 lib/kobject.c:737
netdev_queue_update_kobjects+0x5db/0x6c0 net/core/net-sysfs.c:2073
remove_queue_kobjects net/core/net-sysfs.c:2170 [inline]
netdev_unregister_kobject+0x11f/0x450 net/core/net-sysfs.c:2325
unregister_netdevice_many_notify+0x1a6b/0x1ff0 net/core/dev.c:12289
unregister_netdevice_many net/core/dev.c:12317 [inline]
unregister_netdevice_queue+0x33c/0x380 net/core/dev.c:12161
unregister_netdevice include/linux/netdevice.h:3389 [inline]
__tun_detach+0x6d9/0x15d0 drivers/net/tun.c:621
tun_detach drivers/net/tun.c:637 [inline]
tun_chr_close+0x10a/0x1c0 drivers/net/tun.c:3436
__fput+0x44c/0xa70 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
__do_fast_syscall_32+0x1f4/0x2b0 arch/x86/entry/syscall_32.c:309
do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:331
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Freed by task 6100:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2514 [inline]
slab_free mm/slub.c:6566 [inline]
kmem_cache_free+0x19b/0x690 mm/slub.c:6676
skb_release_data+0x62d/0x7c0 net/core/skbuff.c:1087
skb_release_all net/core/skbuff.c:1152 [inline]
__kfree_skb net/core/skbuff.c:1166 [inline]
consume_skb+0x9e/0xf0 net/core/skbuff.c:1398
netlink_broadcast_filtered+0xec7/0x1000 net/netlink/af_netlink.c:1537
netlink_broadcast+0x37/0x50 net/netlink/af_netlink.c:1559
uevent_net_broadcast_tagged lib/kobject_uevent.c:373 [inline]
kobject_uevent_net_broadcast+0x4bc/0x560 lib/kobject_uevent.c:413
kobject_uevent_env+0x55b/0x8c0 lib/kobject_uevent.c:608
__kobject_del+0xd2/0x300 lib/kobject.c:601
kobject_cleanup lib/kobject.c:680 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x243/0x480 lib/kobject.c:737
netdev_queue_update_kobjects+0x5db/0x6c0 net/core/net-sysfs.c:2073
remove_queue_kobjects net/core/net-sysfs.c:2170 [inline]
netdev_unregister_kobject+0x11f/0x450 net/core/net-sysfs.c:2325
unregister_netdevice_many_notify+0x1a6b/0x1ff0 net/core/dev.c:12289
unregister_netdevice_many net/core/dev.c:12317 [inline]
unregister_netdevice_queue+0x33c/0x380 net/core/dev.c:12161
unregister_netdevice include/linux/netdevice.h:3389 [inline]
__tun_detach+0x6d9/0x15d0 drivers/net/tun.c:621
tun_detach drivers/net/tun.c:637 [inline]
tun_chr_close+0x10a/0x1c0 drivers/net/tun.c:3436
__fput+0x44c/0xa70 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
__do_fast_syscall_32+0x1f4/0x2b0 arch/x86/entry/syscall_32.c:309
do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:331
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
The buggy address belongs to the object at ffff88806c49fa80
which belongs to the cache skbuff_small_head of size 704
The buggy address is located 703 bytes to the right of
allocated 704-byte region [ffff88806c49fa80, ffff88806c49fd40)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6c49c
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff8881416f6b40 ffffea0001b12500 0000000000000003
raw: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff8881416f6b40 ffffea0001b12500 0000000000000003
head: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001b12701 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, tgid 12 (kworker/u8:0), ts 104150033521, free_ts 94308046189
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3030 [inline]
allocate_slab+0x96/0x3a0 mm/slub.c:3203
new_slab mm/slub.c:3257 [inline]
___slab_alloc+0xe94/0x1920 mm/slub.c:4627
__slab_alloc+0x65/0x100 mm/slub.c:4746
__slab_alloc_node mm/slub.c:4822 [inline]
slab_alloc_node mm/slub.c:5233 [inline]
kmem_cache_alloc_node_noprof+0x4c5/0x710 mm/slub.c:5297
kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:579
__alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
nlmsg_new include/net/netlink.h:1055 [inline]
inet6_rt_notify+0x170/0x470 net/ipv6/route.c:6345
fib6_add_rt2node+0x1876/0x33a0 net/ipv6/ip6_fib.c:1275
fib6_add+0x8da/0x18a0 net/ipv6/ip6_fib.c:1528
__ip6_ins_rt net/ipv6/route.c:1351 [inline]
ip6_ins_rt+0xc8/0x120 net/ipv6/route.c:1361
__ipv6_ifa_notify+0x63f/0xac0 net/ipv6/addrconf.c:6283
ipv6_ifa_notify net/ipv6/addrconf.c:6322 [inline]
addrconf_dad_completed+0x180/0xd60 net/ipv6/addrconf.c:4320
page last free pid 5818 tgid 5818 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xdb3/0x14f0 mm/page_alloc.c:2963
folios_put_refs+0x584/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
vms_clear_ptes+0x42c/0x540 mm/vma.c:1235
vms_complete_munmap_vmas+0x206/0x8a0 mm/vma.c:1277
do_vmi_align_munmap+0x364/0x440 mm/vma.c:1536
do_vmi_munmap+0x253/0x2e0 mm/vma.c:1584
__vm_munmap+0x207/0x380 mm/vma.c:3156
__do_sys_munmap mm/mmap.c:1080 [inline]
__se_sys_munmap mm/mmap.c:1077 [inline]
__ia32_sys_munmap+0x5f/0x70 mm/mmap.c:1077
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb6/0x2b0 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:331
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Memory state around the buggy address:
ffff88806c49fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88806c49ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806c49ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88806c4a0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88806c4a0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: c1 e8 3f shr $0x3f,%eax
3: 48 01 c8 add %rcx,%rax
6: 48 83 e0 fe and $0xfffffffffffffffe,%rax
a: 4c 8d 3c 45 00 00 00 lea 0x0(,%rax,2),%r15
11: 00
12: 49 01 ef add %rbp,%r15
15: 4c 89 f8 mov %r15,%rax
18: 48 c1 e8 03 shr $0x3,%rax
1c: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
23: fc ff df
26: 0f b6 04 08 movzbl (%rax,%rcx,1),%eax
* 2a: 84 c0 test %al,%al <-- trapping instruction
2c: 75 27 jne 0x55
2e: 49 63 07 movslq (%r15),%rax
31: 4c 01 f8 add %r15,%rax
34: 49 8d 4f 04 lea 0x4(%r15),%rcx
38: 4c 39 e0 cmp %r12,%rax
3b: 48 0f 46 e9 cmovbe %rcx,%rbp
3f: 49 rex.WB
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2)
2025-10-13 4:00 [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2) syzbot
@ 2025-10-14 15:20 ` syzbot
2025-10-15 12:06 ` Oliver Neukum
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: syzbot @ 2025-10-14 15:20 UTC (permalink / raw)
To: bentiss, jikos, linux-input, linux-kernel, linux-usb,
syzkaller-bugs
syzbot has found a reproducer for the following issue on:
HEAD commit: 3a8660878839 Linux 6.18-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12a705e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f3e7b5a3627a90dd
dashboard link: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132ebb34580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140fe52f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e767e8931970/disk-3a866087.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4cb12bdcfcea/vmlinux-3a866087.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b08acfae954d/bzImage-3a866087.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1018672fe70298606e5f@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
Read of size 1 at addr ffff8880721cbfff by task kworker/0:7/6094
CPU: 0 UID: 0 PID: 6094 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
__hid_input_report.constprop.0+0x314/0x450 drivers/hid/hid-core.c:2139
hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1809/0x3a00 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1841
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1858
handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:kasan_check_range+0x12/0x1b0 mm/kasan/generic.c:199
Code: 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 85 f6 0f 84 64 01 00 00 48 89 f8 41 54 <44> 0f b6 c2 48 01 f0 55 53 0f 82 d7 00 00 00 eb 0f cc cc cc 48 b8
RSP: 0018:ffffc900037b6b60 EFLAGS: 00000202
RAX: ffff888077da86b0 RBX: ffff888077da8668 RCX: ffffffff819803ae
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888077da86b0
RBP: ffff888077da86b0 R08: 0000000000000002 R09: 0000000000000000
R10: ffff888077da866f R11: 0000000000000000 R12: ffffffff8c6df2a0
R13: ffffffff9ae57620 R14: 0000000000000000 R15: ffff888026709978
instrument_atomic_write include/linux/instrumented.h:82 [inline]
atomic_set include/linux/atomic/atomic-instrumented.h:67 [inline]
osq_lock_init include/linux/osq_lock.h:25 [inline]
__mutex_init+0xae/0x120 kernel/locking/mutex.c:53
i2c_register_adapter+0x15d/0x1370 drivers/i2c/i2c-core-base.c:1544
i2c_add_adapter drivers/i2c/i2c-core-base.c:1673 [inline]
i2c_add_adapter+0x10a/0x1b0 drivers/i2c/i2c-core-base.c:1653
devm_i2c_add_adapter+0x1b/0x90 drivers/i2c/i2c-core-base.c:1845
mcp2221_probe+0x5f1/0xc50 drivers/hid/hid-mcp2221.c:1289
__hid_device_probe drivers/hid/hid-core.c:2775 [inline]
hid_device_probe+0x5ba/0x8d0 drivers/hid/hid-core.c:2812
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
hid_add_device+0x31b/0x5c0 drivers/hid/hid-core.c:2951
usbhid_probe+0xd38/0x13f0 drivers/hid/usbhid/hid-core.c:1435
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5918:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ipv6_add_addr+0x4e3/0x1fe0 net/ipv6/addrconf.c:1120
add_addr+0xde/0x350 net/ipv6/addrconf.c:3201
add_v4_addrs+0x642/0x980 net/ipv6/addrconf.c:3263
addrconf_gre_config net/ipv6/addrconf.c:3545 [inline]
addrconf_init_auto_addrs+0x51a/0x810 net/ipv6/addrconf.c:3559
addrconf_notify+0xe93/0x19e0 net/ipv6/addrconf.c:3740
notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
__dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9676
netif_change_flags+0x108/0x160 net/core/dev.c:9705
do_setlink.constprop.0+0xb53/0x4380 net/core/rtnetlink.c:3151
rtnl_changelink net/core/rtnetlink.c:3769 [inline]
__rtnl_newlink net/core/rtnetlink.c:3928 [inline]
rtnl_newlink+0x1446/0x2000 net/core/rtnetlink.c:4065
rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6954
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x4a3/0x520 net/socket.c:2244
__do_sys_sendto net/socket.c:2251 [inline]
__se_sys_sendto net/socket.c:2247 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2247
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880721cbc00
which belongs to the cache kmalloc-cg-512 of size 512
The buggy address is located 583 bytes to the right of
allocated 440-byte region [ffff8880721cbc00, ffff8880721cbdb8)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x721c8
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ff30140 ffffea0001e68c00 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ff30140 ffffea0001e68c00 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001c87201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5796, tgid 5796 (sshd-session), ts 52056965840, free_ts 15121629475
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x10a3/0x3a30 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x25f/0x2470 mm/page_alloc.c:5183
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3039 [inline]
allocate_slab mm/slub.c:3212 [inline]
new_slab+0x24a/0x360 mm/slub.c:3266
___slab_alloc+0xdc4/0x1ae0 mm/slub.c:4636
__slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4755
__slab_alloc_node mm/slub.c:4831 [inline]
slab_alloc_node mm/slub.c:5253 [inline]
__do_kmalloc_node mm/slub.c:5626 [inline]
__kmalloc_node_track_caller_noprof+0x4db/0x8a0 mm/slub.c:5736
kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:601
__alloc_skb+0x166/0x380 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0xe0/0x860 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x7f9/0x980 net/core/sock.c:2965
unix_stream_sendmsg+0x39f/0x1340 net/unix/af_unix.c:2455
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x566/0x610 net/socket.c:1195
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7d3/0x11d0 fs/read_write.c:686
ksys_write+0x1f8/0x250 fs/read_write.c:738
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2906
__free_pages mm/page_alloc.c:5302 [inline]
free_contig_range+0x183/0x4b0 mm/page_alloc.c:7146
destroy_args+0xb69/0x12e0 mm/debug_vm_pgtable.c:958
debug_vm_pgtable+0x1a32/0x3640 mm/debug_vm_pgtable.c:1345
do_one_initcall+0x123/0x6e0 init/main.c:1283
do_initcall_level init/main.c:1345 [inline]
do_initcalls init/main.c:1361 [inline]
do_basic_setup init/main.c:1380 [inline]
kernel_init_freeable+0x5c8/0x920 init/main.c:1593
kernel_init+0x1c/0x2b0 init/main.c:1483
ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff8880721cbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880721cbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880721cbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880721cc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880721cc080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 0f 1f 40 00 nopl 0x0(%rax)
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 0f 1f 40 d6 nopl -0x2a(%rax)
1c: 48 85 f6 test %rsi,%rsi
1f: 0f 84 64 01 00 00 je 0x189
25: 48 89 f8 mov %rdi,%rax
28: 41 54 push %r12
* 2a: 44 0f b6 c2 movzbl %dl,%r8d <-- trapping instruction
2e: 48 01 f0 add %rsi,%rax
31: 55 push %rbp
32: 53 push %rbx
33: 0f 82 d7 00 00 00 jb 0x110
39: eb 0f jmp 0x4a
3b: cc int3
3c: cc int3
3d: cc int3
3e: 48 rex.W
3f: b8 .byte 0xb8
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2)
2025-10-14 15:20 ` syzbot
@ 2025-10-15 12:06 ` Oliver Neukum
2025-10-15 12:08 ` syzbot
2025-10-15 12:17 ` Oliver Neukum
2025-10-20 14:00 ` Oliver Neukum
2 siblings, 1 reply; 8+ messages in thread
From: Oliver Neukum @ 2025-10-15 12:06 UTC (permalink / raw)
To: syzbot, bentiss, jikos, linux-input, linux-kernel, linux-usb,
syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 14640 bytes --]
#syz test: git://repo/address.git 3a8660878839
On 14.10.25 17:20, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 3a8660878839 Linux 6.18-rc1
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12a705e2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f3e7b5a3627a90dd
> dashboard link: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132ebb34580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140fe52f980000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/e767e8931970/disk-3a866087.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4cb12bdcfcea/vmlinux-3a866087.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/b08acfae954d/bzImage-3a866087.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+1018672fe70298606e5f@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
> Read of size 1 at addr ffff8880721cbfff by task kworker/0:7/6094
>
> CPU: 0 UID: 0 PID: 6094 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0xcd/0x630 mm/kasan/report.c:482
> kasan_report+0xe0/0x110 mm/kasan/report.c:595
> mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
> __hid_input_report.constprop.0+0x314/0x450 drivers/hid/hid-core.c:2139
> hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
> __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
> usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
> dummy_timer+0x1809/0x3a00 drivers/usb/gadget/udc/dummy_hcd.c:1995
> __run_hrtimer kernel/time/hrtimer.c:1777 [inline]
> __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1841
> hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1858
> handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
> __do_softirq kernel/softirq.c:656 [inline]
> invoke_softirq kernel/softirq.c:496 [inline]
> __irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
> irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
> sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
> RIP: 0010:kasan_check_range+0x12/0x1b0 mm/kasan/generic.c:199
> Code: 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 85 f6 0f 84 64 01 00 00 48 89 f8 41 54 <44> 0f b6 c2 48 01 f0 55 53 0f 82 d7 00 00 00 eb 0f cc cc cc 48 b8
> RSP: 0018:ffffc900037b6b60 EFLAGS: 00000202
> RAX: ffff888077da86b0 RBX: ffff888077da8668 RCX: ffffffff819803ae
> RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888077da86b0
> RBP: ffff888077da86b0 R08: 0000000000000002 R09: 0000000000000000
> R10: ffff888077da866f R11: 0000000000000000 R12: ffffffff8c6df2a0
> R13: ffffffff9ae57620 R14: 0000000000000000 R15: ffff888026709978
> instrument_atomic_write include/linux/instrumented.h:82 [inline]
> atomic_set include/linux/atomic/atomic-instrumented.h:67 [inline]
> osq_lock_init include/linux/osq_lock.h:25 [inline]
> __mutex_init+0xae/0x120 kernel/locking/mutex.c:53
> i2c_register_adapter+0x15d/0x1370 drivers/i2c/i2c-core-base.c:1544
> i2c_add_adapter drivers/i2c/i2c-core-base.c:1673 [inline]
> i2c_add_adapter+0x10a/0x1b0 drivers/i2c/i2c-core-base.c:1653
> devm_i2c_add_adapter+0x1b/0x90 drivers/i2c/i2c-core-base.c:1845
> mcp2221_probe+0x5f1/0xc50 drivers/hid/hid-mcp2221.c:1289
> __hid_device_probe drivers/hid/hid-core.c:2775 [inline]
> hid_device_probe+0x5ba/0x8d0 drivers/hid/hid-core.c:2812
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> hid_add_device+0x31b/0x5c0 drivers/hid/hid-core.c:2951
> usbhid_probe+0xd38/0x13f0 drivers/hid/usbhid/hid-core.c:1435
> usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
> usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
> usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
> hub_port_connect drivers/usb/core/hub.c:5566 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
> port_event drivers/usb/core/hub.c:5870 [inline]
> hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
> process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
> process_scheduled_works kernel/workqueue.c:3346 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> </TASK>
>
> Allocated by task 5918:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> ipv6_add_addr+0x4e3/0x1fe0 net/ipv6/addrconf.c:1120
> add_addr+0xde/0x350 net/ipv6/addrconf.c:3201
> add_v4_addrs+0x642/0x980 net/ipv6/addrconf.c:3263
> addrconf_gre_config net/ipv6/addrconf.c:3545 [inline]
> addrconf_init_auto_addrs+0x51a/0x810 net/ipv6/addrconf.c:3559
> addrconf_notify+0xe93/0x19e0 net/ipv6/addrconf.c:3740
> notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
> call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
> call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
> call_netdevice_notifiers net/core/dev.c:2281 [inline]
> __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9676
> netif_change_flags+0x108/0x160 net/core/dev.c:9705
> do_setlink.constprop.0+0xb53/0x4380 net/core/rtnetlink.c:3151
> rtnl_changelink net/core/rtnetlink.c:3769 [inline]
> __rtnl_newlink net/core/rtnetlink.c:3928 [inline]
> rtnl_newlink+0x1446/0x2000 net/core/rtnetlink.c:4065
> rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6954
> netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
> netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
> netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
> sock_sendmsg_nosec net/socket.c:727 [inline]
> __sock_sendmsg net/socket.c:742 [inline]
> __sys_sendto+0x4a3/0x520 net/socket.c:2244
> __do_sys_sendto net/socket.c:2251 [inline]
> __se_sys_sendto net/socket.c:2247 [inline]
> __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2247
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> The buggy address belongs to the object at ffff8880721cbc00
> which belongs to the cache kmalloc-cg-512 of size 512
> The buggy address is located 583 bytes to the right of
> allocated 440-byte region [ffff8880721cbc00, ffff8880721cbdb8)
>
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x721c8
> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff88813ff30140 ffffea0001e68c00 dead000000000002
> raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000040 ffff88813ff30140 ffffea0001e68c00 dead000000000002
> head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000002 ffffea0001c87201 00000000ffffffff 00000000ffffffff
> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5796, tgid 5796 (sshd-session), ts 52056965840, free_ts 15121629475
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1850
> prep_new_page mm/page_alloc.c:1858 [inline]
> get_page_from_freelist+0x10a3/0x3a30 mm/page_alloc.c:3884
> __alloc_frozen_pages_noprof+0x25f/0x2470 mm/page_alloc.c:5183
> alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
> alloc_slab_page mm/slub.c:3039 [inline]
> allocate_slab mm/slub.c:3212 [inline]
> new_slab+0x24a/0x360 mm/slub.c:3266
> ___slab_alloc+0xdc4/0x1ae0 mm/slub.c:4636
> __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4755
> __slab_alloc_node mm/slub.c:4831 [inline]
> slab_alloc_node mm/slub.c:5253 [inline]
> __do_kmalloc_node mm/slub.c:5626 [inline]
> __kmalloc_node_track_caller_noprof+0x4db/0x8a0 mm/slub.c:5736
> kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:601
> __alloc_skb+0x166/0x380 net/core/skbuff.c:670
> alloc_skb include/linux/skbuff.h:1383 [inline]
> alloc_skb_with_frags+0xe0/0x860 net/core/skbuff.c:6671
> sock_alloc_send_pskb+0x7f9/0x980 net/core/sock.c:2965
> unix_stream_sendmsg+0x39f/0x1340 net/unix/af_unix.c:2455
> sock_sendmsg_nosec net/socket.c:727 [inline]
> __sock_sendmsg net/socket.c:742 [inline]
> sock_write_iter+0x566/0x610 net/socket.c:1195
> new_sync_write fs/read_write.c:593 [inline]
> vfs_write+0x7d3/0x11d0 fs/read_write.c:686
> ksys_write+0x1f8/0x250 fs/read_write.c:738
> page last free pid 1 tgid 1 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1394 [inline]
> __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2906
> __free_pages mm/page_alloc.c:5302 [inline]
> free_contig_range+0x183/0x4b0 mm/page_alloc.c:7146
> destroy_args+0xb69/0x12e0 mm/debug_vm_pgtable.c:958
> debug_vm_pgtable+0x1a32/0x3640 mm/debug_vm_pgtable.c:1345
> do_one_initcall+0x123/0x6e0 init/main.c:1283
> do_initcall_level init/main.c:1345 [inline]
> do_initcalls init/main.c:1361 [inline]
> do_basic_setup init/main.c:1380 [inline]
> kernel_init_freeable+0x5c8/0x920 init/main.c:1593
> kernel_init+0x1c/0x2b0 init/main.c:1483
> ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>
> Memory state around the buggy address:
> ffff8880721cbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880721cbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff8880721cbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ^
> ffff8880721cc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880721cc080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ==================================================================
> ----------------
> Code disassembly (best guess):
> 0: 00 00 add %al,(%rax)
> 2: 00 00 add %al,(%rax)
> 4: 0f 1f 40 00 nopl 0x0(%rax)
> 8: 90 nop
> 9: 90 nop
> a: 90 nop
> b: 90 nop
> c: 90 nop
> d: 90 nop
> e: 90 nop
> f: 90 nop
> 10: 90 nop
> 11: 90 nop
> 12: 90 nop
> 13: 90 nop
> 14: 90 nop
> 15: 90 nop
> 16: 90 nop
> 17: 90 nop
> 18: 0f 1f 40 d6 nopl -0x2a(%rax)
> 1c: 48 85 f6 test %rsi,%rsi
> 1f: 0f 84 64 01 00 00 je 0x189
> 25: 48 89 f8 mov %rdi,%rax
> 28: 41 54 push %r12
> * 2a: 44 0f b6 c2 movzbl %dl,%r8d <-- trapping instruction
> 2e: 48 01 f0 add %rsi,%rax
> 31: 55 push %rbp
> 32: 53 push %rbx
> 33: 0f 82 d7 00 00 00 jb 0x110
> 39: eb 0f jmp 0x4a
> 3b: cc int3
> 3c: cc int3
> 3d: cc int3
> 3e: 48 rex.W
> 3f: b8 .byte 0xb8
>
>
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
[-- Attachment #2: 0001-hid-mcp2221-validate-message-length.patch --]
[-- Type: text/x-patch, Size: 4406 bytes --]
From 41216a0385b9d2ff1f42a860109bba286fe9d28b Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 15 Oct 2025 13:49:05 +0200
Subject: [PATCH] hid-mcp2221: validate message length
The message passed to raw_event is of indeterminate length.
Check for length before accessing members.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/hid/hid-mcp2221.c | 44 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 43 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 33603b019f97..d5e9f7ef8ba8 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -849,12 +849,18 @@ static int mcp2221_raw_event(struct hid_device *hdev,
u8 *buf;
struct mcp2221 *mcp = hid_get_drvdata(hdev);
+ if (size <= 0)
+ goto bail;
+
switch (data[0]) {
case MCP2221_I2C_WR_DATA:
case MCP2221_I2C_WR_NO_STOP:
case MCP2221_I2C_RD_DATA:
case MCP2221_I2C_RD_RPT_START:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -866,6 +872,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_I2C_PARAM_OR_STATUS:
+ if (size < 4)
+ goto bail;
switch (data[1]) {
case MCP2221_SUCCESS:
if ((mcp->txbuf[3] == MCP2221_I2C_SET_SPEED) &&
@@ -873,6 +881,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
mcp->status = -EAGAIN;
break;
}
+ if (size < 21)
+ goto bail;
if (data[20] & MCP2221_I2C_MASK_ADDR_NACK) {
mcp->status = -ENXIO;
break;
@@ -889,12 +899,19 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_I2C_GET_DATA:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < 3)
+ goto bail;
if (data[2] == MCP2221_I2C_ADDR_NACK) {
mcp->status = -ENXIO;
break;
}
+ if (size < 4)
+ goto bail;
if (!mcp_get_i2c_eng_state(mcp, data, 2)
&& (data[3] == 0)) {
mcp->status = 0;
@@ -906,7 +923,9 @@ static int mcp2221_raw_event(struct hid_device *hdev,
}
if (data[2] == MCP2221_I2C_READ_COMPL ||
data[2] == MCP2221_I2C_READ_PARTIAL) {
- if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+ if (!mcp->rxbuf ||
+ mcp->rxbuf_idx < 0 || data[3] > 60 ||
+ data[3] > size - 4 ) {
mcp->status = -EINVAL;
break;
}
@@ -925,8 +944,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GPIO_GET:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (mcp->gp_idx < size)
+ goto bail;
if ((data[mcp->gp_idx] == MCP2221_ALT_F_NOT_GPIOV) ||
(data[mcp->gp_idx + 1] == MCP2221_ALT_F_NOT_GPIOD)) {
mcp->status = -ENOENT;
@@ -942,8 +966,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GPIO_SET:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < mcp->gp_idx)
+ goto bail;
if ((data[mcp->gp_idx] == MCP2221_ALT_F_NOT_GPIOV) ||
(data[mcp->gp_idx - 1] == MCP2221_ALT_F_NOT_GPIOV)) {
mcp->status = -ENOENT;
@@ -958,6 +987,9 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_SET_SRAM_SETTINGS:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -969,8 +1001,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GET_SRAM_SETTINGS:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < 22 + 4)
+ goto bail;
memcpy(&mcp->mode, &data[22], 4);
#if IS_REACHABLE(CONFIG_IIO)
mcp->dac_value = data[6] & GENMASK(4, 0);
@@ -984,6 +1021,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_READ_FLASH_DATA:
+ if (size < 2)
+ goto bail;
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -997,6 +1036,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
#if IS_REACHABLE(CONFIG_IIO)
{
u8 tmp;
+ if (size < 8)
+ goto bail;
/* DAC scale value */
tmp = FIELD_GET(GENMASK(7, 6), data[6]);
if ((data[6] & BIT(5)) && tmp)
@@ -1021,6 +1062,7 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
default:
+bail:
mcp->status = -EIO;
complete(&mcp->wait_in_report);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2)
2025-10-15 12:06 ` Oliver Neukum
@ 2025-10-15 12:08 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2025-10-15 12:08 UTC (permalink / raw)
To: bentiss, jikos, linux-input, linux-kernel, linux-usb, oneukum,
syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://repo/address.git on commit 3a8660878839: failed to run ["git" "fetch" "--force" "--tags" "b7cf8f2fbfc36c709a08e0b9c77990e491473738"]: exit status 128
Tested on:
commit: [unknown
git tree: git://repo/address.git 3a8660878839
kernel config: https://syzkaller.appspot.com/x/.config?x=f3e7b5a3627a90dd
dashboard link: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=13bed542580000
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2)
2025-10-14 15:20 ` syzbot
2025-10-15 12:06 ` Oliver Neukum
@ 2025-10-15 12:17 ` Oliver Neukum
2025-10-15 12:40 ` syzbot
2025-10-20 14:00 ` Oliver Neukum
2 siblings, 1 reply; 8+ messages in thread
From: Oliver Neukum @ 2025-10-15 12:17 UTC (permalink / raw)
To: syzbot, bentiss, jikos, linux-input, linux-kernel, linux-usb,
syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 14626 bytes --]
#syz test: upstream 3a8660878839
On 14.10.25 17:20, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 3a8660878839 Linux 6.18-rc1
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12a705e2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f3e7b5a3627a90dd
> dashboard link: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132ebb34580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140fe52f980000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/e767e8931970/disk-3a866087.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4cb12bdcfcea/vmlinux-3a866087.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/b08acfae954d/bzImage-3a866087.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+1018672fe70298606e5f@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
> Read of size 1 at addr ffff8880721cbfff by task kworker/0:7/6094
>
> CPU: 0 UID: 0 PID: 6094 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0xcd/0x630 mm/kasan/report.c:482
> kasan_report+0xe0/0x110 mm/kasan/report.c:595
> mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
> __hid_input_report.constprop.0+0x314/0x450 drivers/hid/hid-core.c:2139
> hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
> __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
> usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
> dummy_timer+0x1809/0x3a00 drivers/usb/gadget/udc/dummy_hcd.c:1995
> __run_hrtimer kernel/time/hrtimer.c:1777 [inline]
> __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1841
> hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1858
> handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
> __do_softirq kernel/softirq.c:656 [inline]
> invoke_softirq kernel/softirq.c:496 [inline]
> __irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
> irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
> sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
> RIP: 0010:kasan_check_range+0x12/0x1b0 mm/kasan/generic.c:199
> Code: 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 85 f6 0f 84 64 01 00 00 48 89 f8 41 54 <44> 0f b6 c2 48 01 f0 55 53 0f 82 d7 00 00 00 eb 0f cc cc cc 48 b8
> RSP: 0018:ffffc900037b6b60 EFLAGS: 00000202
> RAX: ffff888077da86b0 RBX: ffff888077da8668 RCX: ffffffff819803ae
> RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888077da86b0
> RBP: ffff888077da86b0 R08: 0000000000000002 R09: 0000000000000000
> R10: ffff888077da866f R11: 0000000000000000 R12: ffffffff8c6df2a0
> R13: ffffffff9ae57620 R14: 0000000000000000 R15: ffff888026709978
> instrument_atomic_write include/linux/instrumented.h:82 [inline]
> atomic_set include/linux/atomic/atomic-instrumented.h:67 [inline]
> osq_lock_init include/linux/osq_lock.h:25 [inline]
> __mutex_init+0xae/0x120 kernel/locking/mutex.c:53
> i2c_register_adapter+0x15d/0x1370 drivers/i2c/i2c-core-base.c:1544
> i2c_add_adapter drivers/i2c/i2c-core-base.c:1673 [inline]
> i2c_add_adapter+0x10a/0x1b0 drivers/i2c/i2c-core-base.c:1653
> devm_i2c_add_adapter+0x1b/0x90 drivers/i2c/i2c-core-base.c:1845
> mcp2221_probe+0x5f1/0xc50 drivers/hid/hid-mcp2221.c:1289
> __hid_device_probe drivers/hid/hid-core.c:2775 [inline]
> hid_device_probe+0x5ba/0x8d0 drivers/hid/hid-core.c:2812
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> hid_add_device+0x31b/0x5c0 drivers/hid/hid-core.c:2951
> usbhid_probe+0xd38/0x13f0 drivers/hid/usbhid/hid-core.c:1435
> usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
> usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
> usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
> hub_port_connect drivers/usb/core/hub.c:5566 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
> port_event drivers/usb/core/hub.c:5870 [inline]
> hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
> process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
> process_scheduled_works kernel/workqueue.c:3346 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> </TASK>
>
> Allocated by task 5918:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> ipv6_add_addr+0x4e3/0x1fe0 net/ipv6/addrconf.c:1120
> add_addr+0xde/0x350 net/ipv6/addrconf.c:3201
> add_v4_addrs+0x642/0x980 net/ipv6/addrconf.c:3263
> addrconf_gre_config net/ipv6/addrconf.c:3545 [inline]
> addrconf_init_auto_addrs+0x51a/0x810 net/ipv6/addrconf.c:3559
> addrconf_notify+0xe93/0x19e0 net/ipv6/addrconf.c:3740
> notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
> call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
> call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
> call_netdevice_notifiers net/core/dev.c:2281 [inline]
> __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9676
> netif_change_flags+0x108/0x160 net/core/dev.c:9705
> do_setlink.constprop.0+0xb53/0x4380 net/core/rtnetlink.c:3151
> rtnl_changelink net/core/rtnetlink.c:3769 [inline]
> __rtnl_newlink net/core/rtnetlink.c:3928 [inline]
> rtnl_newlink+0x1446/0x2000 net/core/rtnetlink.c:4065
> rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6954
> netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
> netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
> netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
> sock_sendmsg_nosec net/socket.c:727 [inline]
> __sock_sendmsg net/socket.c:742 [inline]
> __sys_sendto+0x4a3/0x520 net/socket.c:2244
> __do_sys_sendto net/socket.c:2251 [inline]
> __se_sys_sendto net/socket.c:2247 [inline]
> __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2247
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> The buggy address belongs to the object at ffff8880721cbc00
> which belongs to the cache kmalloc-cg-512 of size 512
> The buggy address is located 583 bytes to the right of
> allocated 440-byte region [ffff8880721cbc00, ffff8880721cbdb8)
>
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x721c8
> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff88813ff30140 ffffea0001e68c00 dead000000000002
> raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000040 ffff88813ff30140 ffffea0001e68c00 dead000000000002
> head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000002 ffffea0001c87201 00000000ffffffff 00000000ffffffff
> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5796, tgid 5796 (sshd-session), ts 52056965840, free_ts 15121629475
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1850
> prep_new_page mm/page_alloc.c:1858 [inline]
> get_page_from_freelist+0x10a3/0x3a30 mm/page_alloc.c:3884
> __alloc_frozen_pages_noprof+0x25f/0x2470 mm/page_alloc.c:5183
> alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
> alloc_slab_page mm/slub.c:3039 [inline]
> allocate_slab mm/slub.c:3212 [inline]
> new_slab+0x24a/0x360 mm/slub.c:3266
> ___slab_alloc+0xdc4/0x1ae0 mm/slub.c:4636
> __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4755
> __slab_alloc_node mm/slub.c:4831 [inline]
> slab_alloc_node mm/slub.c:5253 [inline]
> __do_kmalloc_node mm/slub.c:5626 [inline]
> __kmalloc_node_track_caller_noprof+0x4db/0x8a0 mm/slub.c:5736
> kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:601
> __alloc_skb+0x166/0x380 net/core/skbuff.c:670
> alloc_skb include/linux/skbuff.h:1383 [inline]
> alloc_skb_with_frags+0xe0/0x860 net/core/skbuff.c:6671
> sock_alloc_send_pskb+0x7f9/0x980 net/core/sock.c:2965
> unix_stream_sendmsg+0x39f/0x1340 net/unix/af_unix.c:2455
> sock_sendmsg_nosec net/socket.c:727 [inline]
> __sock_sendmsg net/socket.c:742 [inline]
> sock_write_iter+0x566/0x610 net/socket.c:1195
> new_sync_write fs/read_write.c:593 [inline]
> vfs_write+0x7d3/0x11d0 fs/read_write.c:686
> ksys_write+0x1f8/0x250 fs/read_write.c:738
> page last free pid 1 tgid 1 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1394 [inline]
> __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2906
> __free_pages mm/page_alloc.c:5302 [inline]
> free_contig_range+0x183/0x4b0 mm/page_alloc.c:7146
> destroy_args+0xb69/0x12e0 mm/debug_vm_pgtable.c:958
> debug_vm_pgtable+0x1a32/0x3640 mm/debug_vm_pgtable.c:1345
> do_one_initcall+0x123/0x6e0 init/main.c:1283
> do_initcall_level init/main.c:1345 [inline]
> do_initcalls init/main.c:1361 [inline]
> do_basic_setup init/main.c:1380 [inline]
> kernel_init_freeable+0x5c8/0x920 init/main.c:1593
> kernel_init+0x1c/0x2b0 init/main.c:1483
> ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>
> Memory state around the buggy address:
> ffff8880721cbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880721cbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff8880721cbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ^
> ffff8880721cc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880721cc080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ==================================================================
> ----------------
> Code disassembly (best guess):
> 0: 00 00 add %al,(%rax)
> 2: 00 00 add %al,(%rax)
> 4: 0f 1f 40 00 nopl 0x0(%rax)
> 8: 90 nop
> 9: 90 nop
> a: 90 nop
> b: 90 nop
> c: 90 nop
> d: 90 nop
> e: 90 nop
> f: 90 nop
> 10: 90 nop
> 11: 90 nop
> 12: 90 nop
> 13: 90 nop
> 14: 90 nop
> 15: 90 nop
> 16: 90 nop
> 17: 90 nop
> 18: 0f 1f 40 d6 nopl -0x2a(%rax)
> 1c: 48 85 f6 test %rsi,%rsi
> 1f: 0f 84 64 01 00 00 je 0x189
> 25: 48 89 f8 mov %rdi,%rax
> 28: 41 54 push %r12
> * 2a: 44 0f b6 c2 movzbl %dl,%r8d <-- trapping instruction
> 2e: 48 01 f0 add %rsi,%rax
> 31: 55 push %rbp
> 32: 53 push %rbx
> 33: 0f 82 d7 00 00 00 jb 0x110
> 39: eb 0f jmp 0x4a
> 3b: cc int3
> 3c: cc int3
> 3d: cc int3
> 3e: 48 rex.W
> 3f: b8 .byte 0xb8
>
>
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
[-- Attachment #2: 0001-hid-mcp2221-validate-message-length.patch --]
[-- Type: text/x-patch, Size: 4406 bytes --]
From 41216a0385b9d2ff1f42a860109bba286fe9d28b Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 15 Oct 2025 13:49:05 +0200
Subject: [PATCH] hid-mcp2221: validate message length
The message passed to raw_event is of indeterminate length.
Check for length before accessing members.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/hid/hid-mcp2221.c | 44 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 43 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 33603b019f97..d5e9f7ef8ba8 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -849,12 +849,18 @@ static int mcp2221_raw_event(struct hid_device *hdev,
u8 *buf;
struct mcp2221 *mcp = hid_get_drvdata(hdev);
+ if (size <= 0)
+ goto bail;
+
switch (data[0]) {
case MCP2221_I2C_WR_DATA:
case MCP2221_I2C_WR_NO_STOP:
case MCP2221_I2C_RD_DATA:
case MCP2221_I2C_RD_RPT_START:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -866,6 +872,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_I2C_PARAM_OR_STATUS:
+ if (size < 4)
+ goto bail;
switch (data[1]) {
case MCP2221_SUCCESS:
if ((mcp->txbuf[3] == MCP2221_I2C_SET_SPEED) &&
@@ -873,6 +881,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
mcp->status = -EAGAIN;
break;
}
+ if (size < 21)
+ goto bail;
if (data[20] & MCP2221_I2C_MASK_ADDR_NACK) {
mcp->status = -ENXIO;
break;
@@ -889,12 +899,19 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_I2C_GET_DATA:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < 3)
+ goto bail;
if (data[2] == MCP2221_I2C_ADDR_NACK) {
mcp->status = -ENXIO;
break;
}
+ if (size < 4)
+ goto bail;
if (!mcp_get_i2c_eng_state(mcp, data, 2)
&& (data[3] == 0)) {
mcp->status = 0;
@@ -906,7 +923,9 @@ static int mcp2221_raw_event(struct hid_device *hdev,
}
if (data[2] == MCP2221_I2C_READ_COMPL ||
data[2] == MCP2221_I2C_READ_PARTIAL) {
- if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+ if (!mcp->rxbuf ||
+ mcp->rxbuf_idx < 0 || data[3] > 60 ||
+ data[3] > size - 4 ) {
mcp->status = -EINVAL;
break;
}
@@ -925,8 +944,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GPIO_GET:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (mcp->gp_idx < size)
+ goto bail;
if ((data[mcp->gp_idx] == MCP2221_ALT_F_NOT_GPIOV) ||
(data[mcp->gp_idx + 1] == MCP2221_ALT_F_NOT_GPIOD)) {
mcp->status = -ENOENT;
@@ -942,8 +966,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GPIO_SET:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < mcp->gp_idx)
+ goto bail;
if ((data[mcp->gp_idx] == MCP2221_ALT_F_NOT_GPIOV) ||
(data[mcp->gp_idx - 1] == MCP2221_ALT_F_NOT_GPIOV)) {
mcp->status = -ENOENT;
@@ -958,6 +987,9 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_SET_SRAM_SETTINGS:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -969,8 +1001,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GET_SRAM_SETTINGS:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < 22 + 4)
+ goto bail;
memcpy(&mcp->mode, &data[22], 4);
#if IS_REACHABLE(CONFIG_IIO)
mcp->dac_value = data[6] & GENMASK(4, 0);
@@ -984,6 +1021,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_READ_FLASH_DATA:
+ if (size < 2)
+ goto bail;
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -997,6 +1036,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
#if IS_REACHABLE(CONFIG_IIO)
{
u8 tmp;
+ if (size < 8)
+ goto bail;
/* DAC scale value */
tmp = FIELD_GET(GENMASK(7, 6), data[6]);
if ((data[6] & BIT(5)) && tmp)
@@ -1021,6 +1062,7 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
default:
+bail:
mcp->status = -EIO;
complete(&mcp->wait_in_report);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2)
2025-10-15 12:17 ` Oliver Neukum
@ 2025-10-15 12:40 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2025-10-15 12:40 UTC (permalink / raw)
To: bentiss, jikos, linux-input, linux-kernel, linux-usb, oneukum,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in mcp2221_raw_event
==================================================================
BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x1276/0x12a0 drivers/hid/hid-mcp2221.c:977
Read of size 1 at addr ffff88805c577fff by task dhcpcd-run-hook/6714
CPU: 0 UID: 0 PID: 6714 Comm: dhcpcd-run-hook Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
mcp2221_raw_event+0x1276/0x12a0 drivers/hid/hid-mcp2221.c:977
__hid_input_report.constprop.0+0x314/0x450 drivers/hid/hid-core.c:2139
hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1809/0x3a00 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1841
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1858
handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:mt_find+0x99a/0xa20 lib/maple_tree.c:6502
Code: e9 f4 fa ff ff 31 db e9 9c fd ff ff 4c 89 ff e8 dc 51 c6 f6 e9 d4 f8 ff ff e8 a2 51 c6 f6 e9 8f f8 ff ff e8 88 ca 5d f6 31 db <e8> 81 ca 5d f6 48 85 db 0f 85 80 f9 ff ff e9 df fc ff ff e8 6e ca
RSP: 0018:ffffc9000457fbc8 EFLAGS: 00000292
RAX: 0000000000000000 RBX: ffff88803166c8c0 RCX: ffffffff8b5f6970
RDX: ffff888033084900 RSI: ffffffff8b5f6e74 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffffc9000457fd08 R14: 0000000000000300 R15: 0000000000000002
find_vma+0xbf/0x140 mm/mmap.c:909
lock_mm_and_find_vma+0x62/0x6e0 mm/mmap_lock.c:431
do_user_addr_fault+0x2ac/0x1370 arch/x86/mm/fault.c:1359
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0010:__put_user_4+0xd/0x20 arch/x86/lib/putuser.S:94
Code: 66 89 01 31 c9 0f 01 ca c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 89 cb 48 c1 fb 3f 48 09 d9 0f 01 cb <89> 01 31 c9 0f 01 ca c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90
RSP: 0018:ffffc9000457fef8 EFLAGS: 00050206
RAX: 0000000000001a3a RBX: 0000000000000000 RCX: 00007f8b8be0df50
RDX: dffffc0000000000 RSI: ffffffff8dadd91d RDI: ffff888033084fe0
RBP: ffffc9000457ff48 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802b8fc900
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
schedule_tail+0xb0/0xe0 kernel/sched/core.c:5260
ret_from_fork+0x25/0x7d0 arch/x86/kernel/process.c:154
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6476:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
unpoison_slab_object mm/kasan/common.c:342 [inline]
__kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:368
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4955 [inline]
slab_alloc_node mm/slub.c:5265 [inline]
kmem_cache_alloc_node_noprof+0x28a/0x770 mm/slub.c:5317
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:579
__alloc_skb+0x166/0x380 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_uevent_skb+0x7d/0x210 lib/kobject_uevent.c:289
uevent_net_broadcast_untagged lib/kobject_uevent.c:326 [inline]
kobject_uevent_net_broadcast lib/kobject_uevent.c:410 [inline]
kobject_uevent_env+0xca4/0x1870 lib/kobject_uevent.c:608
device_del+0x623/0x9f0 drivers/base/core.c:3896
gpiochip_remove+0x5aa/0x6d0 drivers/gpio/gpiolib.c:1303
release_nodes+0x116/0x240 drivers/base/devres.c:505
devres_release_group+0x1c1/0x300 drivers/base/devres.c:692
hid_device_remove+0x107/0x260 drivers/hid/hid-core.c:2836
device_remove+0xcb/0x170 drivers/base/dd.c:569
__device_release_driver drivers/base/dd.c:1274 [inline]
device_release_driver_internal+0x44b/0x620 drivers/base/dd.c:1297
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3878
hid_remove_device drivers/hid/hid-core.c:3008 [inline]
hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:3030
usbhid_disconnect+0xa0/0xe0 drivers/hid/usbhid/hid-core.c:1462
usb_unbind_interface+0x1dd/0x9e0 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:571 [inline]
device_remove+0x125/0x170 drivers/base/dd.c:563
__device_release_driver drivers/base/dd.c:1274 [inline]
device_release_driver_internal+0x44b/0x620 drivers/base/dd.c:1297
bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
device_del+0x396/0x9f0 drivers/base/core.c:3878
usb_disable_device+0x355/0x7d0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x9c0 drivers/usb/core/hub.c:2344
hub_port_connect drivers/usb/core/hub.c:5406 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x1c81/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 5183:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2523 [inline]
slab_free mm/slub.c:6611 [inline]
kmem_cache_free+0x2d4/0x6c0 mm/slub.c:6721
skb_kfree_head net/core/skbuff.c:1046 [inline]
skb_kfree_head net/core/skbuff.c:1043 [inline]
skb_free_head+0x1b7/0x210 net/core/skbuff.c:1060
skb_release_data+0x795/0x9e0 net/core/skbuff.c:1087
skb_release_all net/core/skbuff.c:1152 [inline]
__kfree_skb net/core/skbuff.c:1166 [inline]
consume_skb net/core/skbuff.c:1398 [inline]
consume_skb+0xbf/0x100 net/core/skbuff.c:1392
netlink_recvmsg+0x5b9/0xa90 net/netlink/af_netlink.c:1974
sock_recvmsg_nosec net/socket.c:1078 [inline]
sock_recvmsg+0x1f9/0x250 net/socket.c:1100
____sys_recvmsg+0x218/0x6b0 net/socket.c:2850
___sys_recvmsg+0x114/0x1a0 net/socket.c:2892
__sys_recvmsg+0x16a/0x220 net/socket.c:2925
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88805c577a80
which belongs to the cache skbuff_small_head of size 704
The buggy address is located 703 bytes to the right of
allocated 704-byte region [ffff88805c577a80, ffff88805c577d40)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5c574
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888140edbb40 ffffea0001f37a00 dead000000000004
raw: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff888140edbb40 ffffea0001f37a00 dead000000000004
head: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001715d01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6343, tgid 6343 (syz-executor), ts 113786247405, free_ts 94133356886
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x10a3/0x3a30 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x25f/0x2470 mm/page_alloc.c:5183
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3039 [inline]
allocate_slab mm/slub.c:3212 [inline]
new_slab+0x24a/0x360 mm/slub.c:3266
___slab_alloc+0xdc4/0x1ae0 mm/slub.c:4636
__slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4755
__slab_alloc_node mm/slub.c:4831 [inline]
slab_alloc_node mm/slub.c:5253 [inline]
kmem_cache_alloc_node_noprof+0x43c/0x770 mm/slub.c:5317
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:579
__alloc_skb+0x166/0x380 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
nlmsg_new include/net/netlink.h:1055 [inline]
mpls_netconf_notify_devconf+0x4a/0x110 net/mpls/af_mpls.c:1189
mpls_dev_sysctl_register+0x1c9/0x2a0 net/mpls/af_mpls.c:1409
mpls_add_dev net/mpls/af_mpls.c:1460 [inline]
mpls_dev_notify+0x4ab/0xa20 net/mpls/af_mpls.c:1600
notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
call_netdevice_notifiers net/core/dev.c:2281 [inline]
register_netdevice+0x182e/0x2270 net/core/dev.c:11332
page last free pid 6136 tgid 6136 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2906
discard_slab mm/slub.c:3310 [inline]
__put_partials+0x130/0x170 mm/slub.c:3857
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:352
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4955 [inline]
slab_alloc_node mm/slub.c:5265 [inline]
__do_kmalloc_node mm/slub.c:5626 [inline]
__kmalloc_noprof+0x2e8/0x880 mm/slub.c:5639
kmalloc_noprof include/linux/slab.h:961 [inline]
tomoyo_realpath_from_path+0xc2/0x6e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x274/0x460 security/tomoyo/file.c:822
security_inode_getattr+0x116/0x290 security/security.c:2416
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat+0x4b/0xe0 fs/stat.c:281
__do_sys_newfstat+0x87/0x100 fs/stat.c:555
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88805c577e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88805c577f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805c577f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88805c578000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88805c578080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: e9 f4 fa ff ff jmp 0xfffffaf9
5: 31 db xor %ebx,%ebx
7: e9 9c fd ff ff jmp 0xfffffda8
c: 4c 89 ff mov %r15,%rdi
f: e8 dc 51 c6 f6 call 0xf6c651f0
14: e9 d4 f8 ff ff jmp 0xfffff8ed
19: e8 a2 51 c6 f6 call 0xf6c651c0
1e: e9 8f f8 ff ff jmp 0xfffff8b2
23: e8 88 ca 5d f6 call 0xf65dcab0
28: 31 db xor %ebx,%ebx
* 2a: e8 81 ca 5d f6 call 0xf65dcab0 <-- trapping instruction
2f: 48 85 db test %rbx,%rbx
32: 0f 85 80 f9 ff ff jne 0xfffff9b8
38: e9 df fc ff ff jmp 0xfffffd1c
3d: e8 .byte 0xe8
3e: 6e outsb %ds:(%rsi),(%dx)
3f: ca .byte 0xca
Tested on:
commit: 3a866087 Linux 6.18-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1721d542580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f3e7b5a3627a90dd
dashboard link: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1004952f980000
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2)
2025-10-14 15:20 ` syzbot
2025-10-15 12:06 ` Oliver Neukum
2025-10-15 12:17 ` Oliver Neukum
@ 2025-10-20 14:00 ` Oliver Neukum
2025-10-20 23:57 ` syzbot
2 siblings, 1 reply; 8+ messages in thread
From: Oliver Neukum @ 2025-10-20 14:00 UTC (permalink / raw)
To: syzbot, bentiss, jikos, linux-input, linux-kernel, linux-usb,
syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 14626 bytes --]
#syz test: upstream 3a8660878839
On 14.10.25 17:20, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 3a8660878839 Linux 6.18-rc1
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12a705e2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f3e7b5a3627a90dd
> dashboard link: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132ebb34580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=140fe52f980000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/e767e8931970/disk-3a866087.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4cb12bdcfcea/vmlinux-3a866087.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/b08acfae954d/bzImage-3a866087.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+1018672fe70298606e5f@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
> Read of size 1 at addr ffff8880721cbfff by task kworker/0:7/6094
>
> CPU: 0 UID: 0 PID: 6094 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0xcd/0x630 mm/kasan/report.c:482
> kasan_report+0xe0/0x110 mm/kasan/report.c:595
> mcp2221_raw_event+0x1070/0x10a0 drivers/hid/hid-mcp2221.c:948
> __hid_input_report.constprop.0+0x314/0x450 drivers/hid/hid-core.c:2139
> hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
> __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
> usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
> dummy_timer+0x1809/0x3a00 drivers/usb/gadget/udc/dummy_hcd.c:1995
> __run_hrtimer kernel/time/hrtimer.c:1777 [inline]
> __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1841
> hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1858
> handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
> __do_softirq kernel/softirq.c:656 [inline]
> invoke_softirq kernel/softirq.c:496 [inline]
> __irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
> irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
> sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
> RIP: 0010:kasan_check_range+0x12/0x1b0 mm/kasan/generic.c:199
> Code: 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 85 f6 0f 84 64 01 00 00 48 89 f8 41 54 <44> 0f b6 c2 48 01 f0 55 53 0f 82 d7 00 00 00 eb 0f cc cc cc 48 b8
> RSP: 0018:ffffc900037b6b60 EFLAGS: 00000202
> RAX: ffff888077da86b0 RBX: ffff888077da8668 RCX: ffffffff819803ae
> RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888077da86b0
> RBP: ffff888077da86b0 R08: 0000000000000002 R09: 0000000000000000
> R10: ffff888077da866f R11: 0000000000000000 R12: ffffffff8c6df2a0
> R13: ffffffff9ae57620 R14: 0000000000000000 R15: ffff888026709978
> instrument_atomic_write include/linux/instrumented.h:82 [inline]
> atomic_set include/linux/atomic/atomic-instrumented.h:67 [inline]
> osq_lock_init include/linux/osq_lock.h:25 [inline]
> __mutex_init+0xae/0x120 kernel/locking/mutex.c:53
> i2c_register_adapter+0x15d/0x1370 drivers/i2c/i2c-core-base.c:1544
> i2c_add_adapter drivers/i2c/i2c-core-base.c:1673 [inline]
> i2c_add_adapter+0x10a/0x1b0 drivers/i2c/i2c-core-base.c:1653
> devm_i2c_add_adapter+0x1b/0x90 drivers/i2c/i2c-core-base.c:1845
> mcp2221_probe+0x5f1/0xc50 drivers/hid/hid-mcp2221.c:1289
> __hid_device_probe drivers/hid/hid-core.c:2775 [inline]
> hid_device_probe+0x5ba/0x8d0 drivers/hid/hid-core.c:2812
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> hid_add_device+0x31b/0x5c0 drivers/hid/hid-core.c:2951
> usbhid_probe+0xd38/0x13f0 drivers/hid/usbhid/hid-core.c:1435
> usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
> usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
> usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
> call_driver_probe drivers/base/dd.c:581 [inline]
> really_probe+0x241/0xa90 drivers/base/dd.c:659
> __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
> driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
> __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
> __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
> bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
> device_add+0x1148/0x1aa0 drivers/base/core.c:3689
> usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
> hub_port_connect drivers/usb/core/hub.c:5566 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
> port_event drivers/usb/core/hub.c:5870 [inline]
> hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
> process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
> process_scheduled_works kernel/workqueue.c:3346 [inline]
> worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
> kthread+0x3c5/0x780 kernel/kthread.c:463
> ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> </TASK>
>
> Allocated by task 5918:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
> kasan_save_track+0x14/0x30 mm/kasan/common.c:77
> poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
> kmalloc_noprof include/linux/slab.h:957 [inline]
> kzalloc_noprof include/linux/slab.h:1094 [inline]
> ipv6_add_addr+0x4e3/0x1fe0 net/ipv6/addrconf.c:1120
> add_addr+0xde/0x350 net/ipv6/addrconf.c:3201
> add_v4_addrs+0x642/0x980 net/ipv6/addrconf.c:3263
> addrconf_gre_config net/ipv6/addrconf.c:3545 [inline]
> addrconf_init_auto_addrs+0x51a/0x810 net/ipv6/addrconf.c:3559
> addrconf_notify+0xe93/0x19e0 net/ipv6/addrconf.c:3740
> notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
> call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
> call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
> call_netdevice_notifiers net/core/dev.c:2281 [inline]
> __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9676
> netif_change_flags+0x108/0x160 net/core/dev.c:9705
> do_setlink.constprop.0+0xb53/0x4380 net/core/rtnetlink.c:3151
> rtnl_changelink net/core/rtnetlink.c:3769 [inline]
> __rtnl_newlink net/core/rtnetlink.c:3928 [inline]
> rtnl_newlink+0x1446/0x2000 net/core/rtnetlink.c:4065
> rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6954
> netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
> netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
> netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
> sock_sendmsg_nosec net/socket.c:727 [inline]
> __sock_sendmsg net/socket.c:742 [inline]
> __sys_sendto+0x4a3/0x520 net/socket.c:2244
> __do_sys_sendto net/socket.c:2251 [inline]
> __se_sys_sendto net/socket.c:2247 [inline]
> __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2247
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> The buggy address belongs to the object at ffff8880721cbc00
> which belongs to the cache kmalloc-cg-512 of size 512
> The buggy address is located 583 bytes to the right of
> allocated 440-byte region [ffff8880721cbc00, ffff8880721cbdb8)
>
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x721c8
> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff88813ff30140 ffffea0001e68c00 dead000000000002
> raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000040 ffff88813ff30140 ffffea0001e68c00 dead000000000002
> head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000002 ffffea0001c87201 00000000ffffffff 00000000ffffffff
> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5796, tgid 5796 (sshd-session), ts 52056965840, free_ts 15121629475
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1850
> prep_new_page mm/page_alloc.c:1858 [inline]
> get_page_from_freelist+0x10a3/0x3a30 mm/page_alloc.c:3884
> __alloc_frozen_pages_noprof+0x25f/0x2470 mm/page_alloc.c:5183
> alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
> alloc_slab_page mm/slub.c:3039 [inline]
> allocate_slab mm/slub.c:3212 [inline]
> new_slab+0x24a/0x360 mm/slub.c:3266
> ___slab_alloc+0xdc4/0x1ae0 mm/slub.c:4636
> __slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4755
> __slab_alloc_node mm/slub.c:4831 [inline]
> slab_alloc_node mm/slub.c:5253 [inline]
> __do_kmalloc_node mm/slub.c:5626 [inline]
> __kmalloc_node_track_caller_noprof+0x4db/0x8a0 mm/slub.c:5736
> kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:601
> __alloc_skb+0x166/0x380 net/core/skbuff.c:670
> alloc_skb include/linux/skbuff.h:1383 [inline]
> alloc_skb_with_frags+0xe0/0x860 net/core/skbuff.c:6671
> sock_alloc_send_pskb+0x7f9/0x980 net/core/sock.c:2965
> unix_stream_sendmsg+0x39f/0x1340 net/unix/af_unix.c:2455
> sock_sendmsg_nosec net/socket.c:727 [inline]
> __sock_sendmsg net/socket.c:742 [inline]
> sock_write_iter+0x566/0x610 net/socket.c:1195
> new_sync_write fs/read_write.c:593 [inline]
> vfs_write+0x7d3/0x11d0 fs/read_write.c:686
> ksys_write+0x1f8/0x250 fs/read_write.c:738
> page last free pid 1 tgid 1 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1394 [inline]
> __free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2906
> __free_pages mm/page_alloc.c:5302 [inline]
> free_contig_range+0x183/0x4b0 mm/page_alloc.c:7146
> destroy_args+0xb69/0x12e0 mm/debug_vm_pgtable.c:958
> debug_vm_pgtable+0x1a32/0x3640 mm/debug_vm_pgtable.c:1345
> do_one_initcall+0x123/0x6e0 init/main.c:1283
> do_initcall_level init/main.c:1345 [inline]
> do_initcalls init/main.c:1361 [inline]
> do_basic_setup init/main.c:1380 [inline]
> kernel_init_freeable+0x5c8/0x920 init/main.c:1593
> kernel_init+0x1c/0x2b0 init/main.c:1483
> ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>
> Memory state around the buggy address:
> ffff8880721cbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880721cbf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff8880721cbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ^
> ffff8880721cc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880721cc080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ==================================================================
> ----------------
> Code disassembly (best guess):
> 0: 00 00 add %al,(%rax)
> 2: 00 00 add %al,(%rax)
> 4: 0f 1f 40 00 nopl 0x0(%rax)
> 8: 90 nop
> 9: 90 nop
> a: 90 nop
> b: 90 nop
> c: 90 nop
> d: 90 nop
> e: 90 nop
> f: 90 nop
> 10: 90 nop
> 11: 90 nop
> 12: 90 nop
> 13: 90 nop
> 14: 90 nop
> 15: 90 nop
> 16: 90 nop
> 17: 90 nop
> 18: 0f 1f 40 d6 nopl -0x2a(%rax)
> 1c: 48 85 f6 test %rsi,%rsi
> 1f: 0f 84 64 01 00 00 je 0x189
> 25: 48 89 f8 mov %rdi,%rax
> 28: 41 54 push %r12
> * 2a: 44 0f b6 c2 movzbl %dl,%r8d <-- trapping instruction
> 2e: 48 01 f0 add %rsi,%rax
> 31: 55 push %rbp
> 32: 53 push %rbx
> 33: 0f 82 d7 00 00 00 jb 0x110
> 39: eb 0f jmp 0x4a
> 3b: cc int3
> 3c: cc int3
> 3d: cc int3
> 3e: 48 rex.W
> 3f: b8 .byte 0xb8
>
>
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
[-- Attachment #2: 0001-hid-mcp2221-validate-message-length.patch --]
[-- Type: text/x-patch, Size: 4406 bytes --]
From bfb7f1a3803329224449e1c26c303b1b048e130b Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Wed, 15 Oct 2025 13:49:05 +0200
Subject: [PATCH] hid-mcp2221: validate message length
The message passed to raw_event is of indeterminate length.
Check for length before accessing members.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/hid/hid-mcp2221.c | 44 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 43 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 33603b019f97..f0a97e2af317 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -849,12 +849,18 @@ static int mcp2221_raw_event(struct hid_device *hdev,
u8 *buf;
struct mcp2221 *mcp = hid_get_drvdata(hdev);
+ if (size <= 0)
+ goto bail;
+
switch (data[0]) {
case MCP2221_I2C_WR_DATA:
case MCP2221_I2C_WR_NO_STOP:
case MCP2221_I2C_RD_DATA:
case MCP2221_I2C_RD_RPT_START:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -866,6 +872,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_I2C_PARAM_OR_STATUS:
+ if (size < 4)
+ goto bail;
switch (data[1]) {
case MCP2221_SUCCESS:
if ((mcp->txbuf[3] == MCP2221_I2C_SET_SPEED) &&
@@ -873,6 +881,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
mcp->status = -EAGAIN;
break;
}
+ if (size < 21)
+ goto bail;
if (data[20] & MCP2221_I2C_MASK_ADDR_NACK) {
mcp->status = -ENXIO;
break;
@@ -889,12 +899,19 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_I2C_GET_DATA:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < 3)
+ goto bail;
if (data[2] == MCP2221_I2C_ADDR_NACK) {
mcp->status = -ENXIO;
break;
}
+ if (size < 4)
+ goto bail;
if (!mcp_get_i2c_eng_state(mcp, data, 2)
&& (data[3] == 0)) {
mcp->status = 0;
@@ -906,7 +923,9 @@ static int mcp2221_raw_event(struct hid_device *hdev,
}
if (data[2] == MCP2221_I2C_READ_COMPL ||
data[2] == MCP2221_I2C_READ_PARTIAL) {
- if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+ if (!mcp->rxbuf ||
+ mcp->rxbuf_idx < 0 || data[3] > 60 ||
+ data[3] > size - 4 ) {
mcp->status = -EINVAL;
break;
}
@@ -925,8 +944,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GPIO_GET:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (mcp->gp_idx > size)
+ goto bail;
if ((data[mcp->gp_idx] == MCP2221_ALT_F_NOT_GPIOV) ||
(data[mcp->gp_idx + 1] == MCP2221_ALT_F_NOT_GPIOD)) {
mcp->status = -ENOENT;
@@ -942,8 +966,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GPIO_SET:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < mcp->gp_idx)
+ goto bail;
if ((data[mcp->gp_idx] == MCP2221_ALT_F_NOT_GPIOV) ||
(data[mcp->gp_idx - 1] == MCP2221_ALT_F_NOT_GPIOV)) {
mcp->status = -ENOENT;
@@ -958,6 +987,9 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_SET_SRAM_SETTINGS:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -969,8 +1001,13 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_GET_SRAM_SETTINGS:
+ if (size < 2)
+ goto bail;
+
switch (data[1]) {
case MCP2221_SUCCESS:
+ if (size < 22 + 4)
+ goto bail;
memcpy(&mcp->mode, &data[22], 4);
#if IS_REACHABLE(CONFIG_IIO)
mcp->dac_value = data[6] & GENMASK(4, 0);
@@ -984,6 +1021,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
case MCP2221_READ_FLASH_DATA:
+ if (size < 2)
+ goto bail;
switch (data[1]) {
case MCP2221_SUCCESS:
mcp->status = 0;
@@ -997,6 +1036,8 @@ static int mcp2221_raw_event(struct hid_device *hdev,
#if IS_REACHABLE(CONFIG_IIO)
{
u8 tmp;
+ if (size < 8)
+ goto bail;
/* DAC scale value */
tmp = FIELD_GET(GENMASK(7, 6), data[6]);
if ((data[6] & BIT(5)) && tmp)
@@ -1021,6 +1062,7 @@ static int mcp2221_raw_event(struct hid_device *hdev,
break;
default:
+bail:
mcp->status = -EIO;
complete(&mcp->wait_in_report);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2)
2025-10-20 14:00 ` Oliver Neukum
@ 2025-10-20 23:57 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2025-10-20 23:57 UTC (permalink / raw)
To: bentiss, jikos, linux-input, linux-kernel, linux-usb, oneukum,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in mcp2221_raw_event
==================================================================
BUG: KASAN: use-after-free in mcp2221_raw_event+0x1276/0x12a0 drivers/hid/hid-mcp2221.c:977
Read of size 1 at addr ffff8880608fffff by task kworker/0:6/6472
CPU: 0 UID: 0 PID: 6472 Comm: kworker/0:6 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
mcp2221_raw_event+0x1276/0x12a0 drivers/hid/hid-mcp2221.c:977
__hid_input_report.constprop.0+0x314/0x450 drivers/hid/hid-core.c:2139
hid_irq_in+0x35e/0x870 drivers/hid/usbhid/hid-core.c:286
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1809/0x3a00 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1777 [inline]
__hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1841
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1858
handle_softirqs+0x219/0x8e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:unwind_next_frame+0x188/0x20a0 arch/x86/kernel/unwind_orc.c:494
Code: 7f 08 84 c0 0f 85 e4 09 00 00 48 89 e9 41 0f b6 45 35 48 ba 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c 11 00 0f 85 6b 17 00 00 <4d> 8b 7d 48 3c 01 49 83 df 00 4d 85 ff 0f 84 31 09 00 00 49 81 ff
RSP: 0018:ffffc900037f6778 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 1ffff920006fed06
RDX: dffffc0000000000 RSI: ffffffff8bf1e240 RDI: ffffffff8ddafee0
RBP: ffffc900037f6830 R08: 7f6452bb8444a4d6 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffc900037f6838
R13: ffffc900037f67e8 R14: ffffc900037f681d R15: ffff888079bc8000
arch_stack_walk+0x94/0x100 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__do_kmalloc_node mm/slub.c:5627 [inline]
__kmalloc_node_track_caller_noprof+0x345/0x8a0 mm/slub.c:5736
kmemdup_noprof+0x29/0x60 mm/util.c:138
kmemdup_noprof include/linux/fortify-string.h:765 [inline]
mcp_send_report drivers/hid/hid-mcp2221.c:156 [inline]
mcp_send_data_req_status+0x56/0x170 drivers/hid/hid-mcp2221.c:182
mcp_set_i2c_speed drivers/hid/hid-mcp2221.c:241 [inline]
mcp2221_probe+0x38d/0xc50 drivers/hid/hid-mcp2221.c:1315
__hid_device_probe drivers/hid/hid-core.c:2775 [inline]
hid_device_probe+0x5ba/0x8d0 drivers/hid/hid-core.c:2812
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
hid_add_device+0x31b/0x5c0 drivers/hid/hid-core.c:2951
usbhid_probe+0xd38/0x13f0 drivers/hid/usbhid/hid-core.c:1435
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x608ff
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00017fc008 ffffea0001823f88 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 6288, tgid 6288 (syz-executor), ts 112267604439, free_ts 114447335346
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x10a3/0x3a30 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x25f/0x2470 mm/page_alloc.c:5183
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline]
alloc_pages_noprof+0x131/0x390 mm/mempolicy.c:2507
vm_area_alloc_pages mm/vmalloc.c:3647 [inline]
__vmalloc_area_node mm/vmalloc.c:3724 [inline]
__vmalloc_node_range_noprof+0x6f8/0x1480 mm/vmalloc.c:3897
vmalloc_user_noprof+0x9e/0xe0 mm/vmalloc.c:4050
kcov_ioctl+0x4c/0x730 kernel/kcov.c:716
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6299 tgid 6299 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2906
vfree+0x1fd/0xb50 mm/vmalloc.c:3440
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x150/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x86f/0x2bf0 kernel/exit.c:966
do_group_exit+0xd3/0x2a0 kernel/exit.c:1107
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7c0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x85/0x130 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x426/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880608ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880608fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880608fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888060900000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888060900080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 7f 08 jg 0xa
2: 84 c0 test %al,%al
4: 0f 85 e4 09 00 00 jne 0x9ee
a: 48 89 e9 mov %rbp,%rcx
d: 41 0f b6 45 35 movzbl 0x35(%r13),%eax
12: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
19: fc ff df
1c: 48 c1 e9 03 shr $0x3,%rcx
20: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1)
24: 0f 85 6b 17 00 00 jne 0x1795
* 2a: 4d 8b 7d 48 mov 0x48(%r13),%r15 <-- trapping instruction
2e: 3c 01 cmp $0x1,%al
30: 49 83 df 00 sbb $0x0,%r15
34: 4d 85 ff test %r15,%r15
37: 0f 84 31 09 00 00 je 0x96e
3d: 49 rex.WB
3e: 81 .byte 0x81
3f: ff .byte 0xff
Tested on:
commit: 3a866087 Linux 6.18-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16300d2f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=f3e7b5a3627a90dd
dashboard link: https://syzkaller.appspot.com/bug?extid=1018672fe70298606e5f
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13784d42580000
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-10-20 23:57 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-13 4:00 [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event (2) syzbot
2025-10-14 15:20 ` syzbot
2025-10-15 12:06 ` Oliver Neukum
2025-10-15 12:08 ` syzbot
2025-10-15 12:17 ` Oliver Neukum
2025-10-15 12:40 ` syzbot
2025-10-20 14:00 ` Oliver Neukum
2025-10-20 23:57 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).