[syzbot] [i2c?] KASAN: stack-out-of-bounds Write in i801_isr (3)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

syzbot found the following issue on:

HEAD commit:    005f6f34bd47 Merge tag 'i2c-for-6.8-rc8' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16b0d556180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9711c6169c49ef10
dashboard link: https://syzkaller.appspot.com/bug?extid=554a57aa65b47aa16a47
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-005f6f34.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8a1e40858f35/vmlinux-005f6f34.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9629bd1252c4/bzImage-005f6f34.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+554a57aa65b47aa16a47@xxxxxxxxxxxxxxxxxxxxxxxxx

==================================================================
BUG: KASAN: stack-out-of-bounds in i801_isr_byte_done drivers/i2c/busses/i2c-i801.c:550 [inline]
BUG: KASAN: stack-out-of-bounds in i801_isr drivers/i2c/busses/i2c-i801.c:617 [inline]
BUG: KASAN: stack-out-of-bounds in i801_isr+0xcfe/0xd10 drivers/i2c/busses/i2c-i801.c:598
Write of size 1 at addr ffffc900070dfd98 by task swapper/3/0

CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.8.0-rc7-syzkaller-00238-g005f6f34bd47 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:488
 kasan_report+0xda/0x110 mm/kasan/report.c:601
 i801_isr_byte_done drivers/i2c/busses/i2c-i801.c:550 [inline]
 i801_isr drivers/i2c/busses/i2c-i801.c:617 [inline]
 i801_isr+0xcfe/0xd10 drivers/i2c/busses/i2c-i801.c:598
 __handle_irq_event_percpu+0x22a/0x750 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_fasteoi_irq+0x233/0xc20 kernel/irq/chip.c:720
 generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
 handle_irq arch/x86/kernel/irq.c:238 [inline]
 __common_interrupt+0xde/0x250 arch/x86/kernel/irq.c:257
 common_interrupt+0x52/0xd0 arch/x86/kernel/irq.c:247
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:__do_softirq+0x1e0/0x8e7 kernel/softirq.c:539
Code: 89 44 24 18 44 88 74 24 3b 48 c7 c7 c0 59 0b 8b e8 65 31 fc ff 65 66 c7 05 73 ac 3b 75 00 00 e8 d6 47 ca f6 fb bb ff ff ff ff <49> c7 c6 c0 a0 40 8d 41 0f bc dc 83 c3 01 0f 85 a7 00 00 00 e9 70
RSP: 0018:ffffc900008e8f30 EFLAGS: 00000206
RAX: 00000000007499e4 RBX: 00000000ffffffff RCX: 1ffffffff1f3a679
RDX: 0000000000000000 RSI: ffffffff8b0cb3c0 RDI: ffffffff8b6e9980
RBP: 0000000100013d6f R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8f9d6657 R11: 0000000000000000 R12: 0000000000000280
R13: 000000000000000a R14: 0000000000000001 R15: 0000000000000000
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:743
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d b3 5d 42 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc90000187e08 EFLAGS: 00000246
RAX: 00000000007499dd RBX: 0000000000000003 RCX: ffffffff8ac43eab
RDX: 0000000000000000 RSI: ffffffff8b0cb3c0 RDI: ffffffff8b6e9980
RBP: ffffed1002f51900 R08: 0000000000000001 R09: ffffed100d6a6ded
R10: ffff88806b536f6b R11: 0000000000000000 R12: 0000000000000003
R13: ffff888017a8c800 R14: ffffffff8f9d6650 R15: 0000000000000000
 default_idle_call+0x69/0xa0 kernel/sched/idle.c:97
 cpuidle_idle_call kernel/sched/idle.c:170 [inline]
 do_idle+0x336/0x400 kernel/sched/idle.c:312
 cpu_startup_entry+0x50/0x60 kernel/sched/idle.c:410
 start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:336
 secondary_startup_64_no_verify+0x170/0x17b
 </TASK>

The buggy address belongs to the virtual mapping at
 [ffffc900070d8000, ffffc900070e1000) created by:
 kernel_clone+0xfd/0x930 kernel/fork.c:2902

The buggy address belongs to the physical page:
page:ffffea0000c2b400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30ad0
memcg:ffff88810914d102
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88810914d102
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 11717, tgid 11717 (syz-executor.2), ts 1114592091976, free_ts 1114514350228
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1533
 prep_new_page mm/page_alloc.c:1540 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
 __alloc_pages+0x22c/0x2430 mm/page_alloc.c:4569
 alloc_pages_mpol+0x258/0x600 mm/mempolicy.c:2133
 vm_area_alloc_pages mm/vmalloc.c:3063 [inline]
 __vmalloc_area_node mm/vmalloc.c:3139 [inline]
 __vmalloc_node_range+0xa6e/0x1540 mm/vmalloc.c:3320
 alloc_thread_stack_node kernel/fork.c:307 [inline]
 dup_task_struct kernel/fork.c:1112 [inline]
 copy_process+0x150b/0x97b0 kernel/fork.c:2327
 kernel_clone+0xfd/0x930 kernel/fork.c:2902
 __do_sys_clone3+0x1f5/0x270 kernel/fork.c:3203
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
page last free pid 5219 tgid 5219 stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1140 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2346
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
 __folio_put_small mm/swap.c:106 [inline]
 __folio_put+0xc3/0x110 mm/swap.c:129
 folio_put include/linux/mm.h:1494 [inline]
 put_page include/linux/mm.h:1563 [inline]
 free_page_and_swap_cache+0x25a/0x2d0 mm/swap_state.c:304
 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:154 [inline]
 tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:209
 rcu_do_batch kernel/rcu/tree.c:2190 [inline]
 rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
 __do_softirq+0x21c/0x8e7 kernel/softirq.c:553

Memory state around the buggy address:
 ffffc900070dfc80: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00
 ffffc900070dfd00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
>ffffc900070dfd80: 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00
                            ^
 ffffc900070dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
 ffffc900070dfe80: f1 f1 00 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	89 44 24 18          	mov    %eax,0x18(%rsp)
   4:	44 88 74 24 3b       	mov    %r14b,0x3b(%rsp)
   9:	48 c7 c7 c0 59 0b 8b 	mov    $0xffffffff8b0b59c0,%rdi
  10:	e8 65 31 fc ff       	call   0xfffc317a
  15:	65 66 c7 05 73 ac 3b 	movw   $0x0,%gs:0x753bac73(%rip)        # 0x753bac92
  1c:	75 00 00
  1f:	e8 d6 47 ca f6       	call   0xf6ca47fa
  24:	fb                   	sti
  25:	bb ff ff ff ff       	mov    $0xffffffff,%ebx
* 2a:	49 c7 c6 c0 a0 40 8d 	mov    $0xffffffff8d40a0c0,%r14 <-- trapping instruction
  31:	41 0f bc dc          	bsf    %r12d,%ebx
  35:	83 c3 01             	add    $0x1,%ebx
  38:	0f 85 a7 00 00 00    	jne    0xe5
  3e:	e9                   	.byte 0xe9
  3f:	70                   	.byte 0x70


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup




[Index of Archives]     [Linux GPIO]     [Linux SPI]     [Linux Hardward Monitoring]     [LM Sensors]     [Linux USB Devel]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux