[linus:master] [usb] b8fb6db6cb: BUG:KASAN:global-out-of-bounds_in_usb_copy_descriptors

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <oliver.sang@intel.com>
To: Perr Zhang <perr@usb7.net>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
	<linux-kernel@vger.kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	<linux-usb@vger.kernel.org>, <oliver.sang@intel.com>
Subject: [linus:master] [usb]  b8fb6db6cb: BUG:KASAN:global-out-of-bounds_in_usb_copy_descriptors
Date: Tue, 24 Sep 2024 21:38:27 +0800	[thread overview]
Message-ID: <202409242143.d9949646-lkp@intel.com> (raw)



Hello,

kernel test robot noticed "BUG:KASAN:global-out-of-bounds_in_usb_copy_descriptors" on:

commit: b8fb6db6cb04e3c35d661d0f6cf6f8dc7444ce0c ("usb: f_uac1: adds support for SS and SSP")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

[test failed on linus/master      abf2050f51fdca0fd146388f83cddd95a57a008d]
[test failed on linux-next/master ef545bc03a65438cabe87beb1b9a15b0ffcb6ace]

in testcase: boot

compiler: clang-18
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+--------------------------------------------------------+------------+------------+
|                                                        | 36d586c057 | b8fb6db6cb |
+--------------------------------------------------------+------------+------------+
| BUG:KASAN:global-out-of-bounds_in_usb_copy_descriptors | 0          | 6          |
+--------------------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202409242143.d9949646-lkp@intel.com


[ 112.946534][ T1] BUG: KASAN: global-out-of-bounds in usb_copy_descriptors (ld-temp.o:?) 
[  112.947205][    T1] Read of size 160 at addr ffffffff87d27da0 by task swapper/1
[  112.947348][    T1]
[  112.947348][    T1] CPU: 0 PID: 1 Comm: swapper Tainted: G                T  6.7.0-rc5-00081-gb8fb6db6cb04 #1 0b74b627eecd14071872650b3288b2fae55c3c90
[  112.947348][    T1] Call Trace:
[  112.947348][    T1]  <TASK>
[ 112.947348][ T1] dump_stack_lvl (ld-temp.o:?) 
[ 112.947348][ T1] print_report (ld-temp.o:?) 
[ 112.947348][ T1] ? start_report (ld-temp.o:?) 
[ 112.947348][ T1] ? usb_copy_descriptors (ld-temp.o:?) 
[ 112.947348][ T1] kasan_report (ld-temp.o:?) 
[ 112.947348][ T1] ? usb_copy_descriptors (ld-temp.o:?) 
[ 112.947348][ T1] kasan_check_range (ld-temp.o:?) 
[ 112.947348][ T1] ? usb_copy_descriptors (ld-temp.o:?) 
[ 112.947348][ T1] __asan_memcpy (ld-temp.o:?) 
[ 112.947348][ T1] usb_copy_descriptors (ld-temp.o:?) 
[ 112.947348][ T1] usb_assign_descriptors (ld-temp.o:?) 
[ 112.947348][ T1] f_audio_bind (ld-temp.o:?) 
[ 112.947348][ T1] usb_add_function (ld-temp.o:?) 
[ 112.947348][ T1] ? f_audio_alloc (ld-temp.o:?) 
[ 112.947348][ T1] ? __cfi_audio_do_config (ld-temp.o:?) 
[ 112.947348][ T1] audio_do_config (ld-temp.o:?) 
[ 112.947348][ T1] usb_add_config (ld-temp.o:?) 
[ 112.947348][ T1] ? try_get_usb_function_instance (ld-temp.o:?) 
[ 112.947348][ T1] ? usb_get_function_instance (ld-temp.o:?) 
[ 112.947348][ T1] audio_bind (ld-temp.o:?) 
[ 112.947348][ T1] composite_bind (ld-temp.o:?) 
[ 112.947348][ T1] ? really_probe (ld-temp.o:?) 
[ 112.947348][ T1] ? __cfi_composite_bind (ld-temp.o:?) 
[ 112.947348][ T1] gadget_bind_driver (ld-temp.o:?) 
[ 112.947348][ T1] ? really_probe (ld-temp.o:?) 
[ 112.947348][ T1] really_probe (ld-temp.o:?) 
[ 112.947348][ T1] __driver_probe_device (ld-temp.o:?) 
[ 112.947348][ T1] driver_probe_device (ld-temp.o:?) 
[ 112.947348][ T1] __device_attach_driver (ld-temp.o:?) 
[ 112.947348][ T1] ? __cfi___device_attach_driver (ld-temp.o:?) 
[ 112.947348][ T1] bus_for_each_drv (ld-temp.o:?) 
[ 112.947348][ T1] __device_attach (ld-temp.o:?) 
[ 112.947348][ T1] ? bus_probe_device (ld-temp.o:?) 
[ 112.947348][ T1] bus_probe_device (ld-temp.o:?) 
[ 112.947348][ T1] device_add (ld-temp.o:?) 
[ 112.947348][ T1] usb_add_gadget (ld-temp.o:?) 
[ 112.947348][ T1] ? usb_add_gadget_udc_release (ld-temp.o:?) 
[ 112.947348][ T1] ? __cfi_usb_udc_nop_release (ld-temp.o:?) 
[ 112.947348][ T1] usb_add_gadget_udc_release (ld-temp.o:?) 
[ 112.947348][ T1] vudc_probe (ld-temp.o:?) 
[ 112.947348][ T1] platform_probe (ld-temp.o:?) 
[ 112.947348][ T1] really_probe (ld-temp.o:?) 
[ 112.947348][ T1] __driver_probe_device (ld-temp.o:?) 
[ 112.947348][ T1] driver_probe_device (ld-temp.o:?) 
[ 112.947348][ T1] __device_attach_driver (ld-temp.o:?) 
[ 112.947348][ T1] ? __cfi___device_attach_driver (ld-temp.o:?) 
[ 112.947348][ T1] bus_for_each_drv (ld-temp.o:?) 
[ 112.947348][ T1] __device_attach (ld-temp.o:?) 
[ 112.947348][ T1] ? bus_probe_device (ld-temp.o:?) 
[ 112.947348][ T1] bus_probe_device (ld-temp.o:?) 
[ 112.947348][ T1] device_add (ld-temp.o:?) 
[ 112.947348][ T1] platform_device_add (ld-temp.o:?) 
[ 112.947348][ T1] ? platform_device_alloc (ld-temp.o:?) 
[ 112.947348][ T1] vudc_init (ld-temp.o:?) 
[ 112.947348][ T1] do_one_initcall (init/main.c:1236) 
[ 112.947348][ T1] ? __cfi___initstub__kmod_usbip_vudc__683_89_vudc_init6 (ld-temp.o:?) 
[ 112.947348][ T1] ? lockdep_hardirqs_on_prepare (ld-temp.o:?) 
[ 112.947348][ T1] ? __schedule (ld-temp.o:?) 
[ 112.947348][ T1] ? lockdep_hardirqs_on_prepare (ld-temp.o:?) 
[ 112.947348][ T1] ? irqentry_exit (ld-temp.o:?) 
[ 112.947348][ T1] ? parameq (ld-temp.o:?) 
[ 112.947348][ T1] ? __cfi_ignore_unknown_bootoption (init/main.c:1283) 
[ 112.947348][ T1] ? parse_args (ld-temp.o:?) 
[ 112.947348][ T1] ? __kasan_slab_alloc (ld-temp.o:?) 
[ 112.947348][ T1] do_initcall_level (init/main.c:1297) 
[ 112.947348][ T1] do_initcalls (init/main.c:1311) 
[ 112.947348][ T1] kernel_init_freeable (init/main.c:1555) 
[ 112.947348][ T1] ? __cfi_kernel_init (init/main.c:1439) 
[ 112.947348][ T1] kernel_init (kernel/async.c:254 kernel/async.c:241 init/main.c:1443) 
[ 112.947348][ T1] ret_from_fork (ld-temp.o:?) 
[ 112.947348][ T1] ? __cfi_kernel_init (init/main.c:1439) 
[ 112.947348][ T1] ret_from_fork_asm (arch/x86/entry/entry_64.S:250) 
[  112.947348][    T1]  </TASK>
[  112.947348][    T1]
[  112.947348][    T1] The buggy address belongs to the variable:
[ 112.947348][ T1] ac_header_desc+0x0/0x20 
[  112.947348][    T1]
[  112.947348][    T1] The buggy address belongs to the physical page:
[  112.947348][    T1] page:ffffea00001f49c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d27
[  112.947348][    T1] flags: 0x4000(reserved|zone=0)
[  112.947348][    T1] page_type: 0xffffffff()
[  112.947348][    T1] raw: 0000000000004000 ffffea00001f49c8 ffffea00001f49c8 0000000000000000
[  112.947348][    T1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[  112.947348][    T1] page dumped because: kasan: bad access detected
[  112.947348][    T1] page_owner info is not present (never set?)
[  112.947348][    T1]
[  112.947348][    T1] Memory state around the buggy address:
[  112.947348][    T1]  ffffffff87d27c80: 00 00 f9 f9 00 00 f9 f9 00 00 f9 f9 00 00 f9 f9
[  112.947348][    T1]  ffffffff87d27d00: 00 00 f9 f9 00 00 f9 f9 00 00 f9 f9 00 00 f9 f9
[  112.947348][    T1] >ffffffff87d27d80: 00 00 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9
[  112.947348][    T1]                                   ^
[  112.947348][    T1]  ffffffff87d27e00: 00 00 f9 f9 00 00 f9 f9 00 00 f9 f9 00 00 f9 f9
[  112.947348][    T1]  ffffffff87d27e80: 00 f9 f9 f9 00 f9 f9 f9 00 00 f9 f9 00 00 f9 f9
[  112.947348][    T1] ==================================================================
[  113.005042][    T1] Disabling lock debugging due to kernel taint



The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240924/202409242143.d9949646-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

                 reply	other threads:[~2024-09-24 13:38 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202409242143.d9949646-lkp@intel.com \
    --to=oliver.sang@intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=oe-lkp@lists.linux.dev \
    --cc=perr@usb7.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox