On Mon, 23 Mar 2020 12:37:33 +0300, Dan Carpenter wrote: > On Sun, Mar 22, 2020 at 11:11:06PM +0100, Jean Delvare wrote: > > Definitely not correct. The first byte of the block data array MUST be > > the size of the block read. Even if the code above does not do the > > right thing, removing the line will not help. > > > > Yeah. I misread the code. > > > Is it possible that kasan got this wrong due to the convoluted logic? > > It's late and I'll check again tomorrow morning but the code looks OK > > to me. > > KASan doesn't work like that. It works at runtime and doesn't care > about the logic. > > https://syzkaller.appspot.com/bug?id=426fc8b1c1b63fb0af524d839dfcf452f2d858e2 > > At the bottom of the report it shows that we're in a field of f9 > poisoned data so it's not priv->len which is wrong. (My patch was way > off). > > mm/kasan/kasan.h:#define KASAN_VMALLOC_INVALID 0xF9 /* unallocated space in vmapped page */ > > The logic looks okay to me too. So possibly this was a race condition > or even memory corruption in an unrelated part of the kernel. I checked out the exact kernel version this report was generated for, and the faulty line is: 592: priv->data[priv->count++] = inb(SMBBLKDAT(priv)); This would suggest the problem is with priv->count growing beyond the end of the array, however the fact that we land in a memory spot full of 0xF9 kind of excludes this possibility (the data before the spot would contain different data if it was the case). The other option is that priv->count wasn't initialized at the time it is used. However I can't see how this could happen, given that the priv structure is kzalloc'd. So, to be honest I can't really see how priv->count can get wrong. So I would be tempted to lend towards the theory that the i2c-i801 driver was a collateral victim of a memory corruption happening somewhere else in the kernel. Wouldn't Kasan catch this too? Is it possible to access the other Kasan reports from the same test run? -- Jean Delvare SUSE L3 Support
