On Fri, 6 Dec 2019, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 1f22d15c usb: gadget: add raw-gadget interface > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=11d12861e00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=8ccee2968018adcb > dashboard link: https://syzkaller.appspot.com/bug?extid=09ef48aa58261464b621 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101a781ee00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d71c2ae00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+09ef48aa58261464b621@xxxxxxxxxxxxxxxxxxxxxxxxx > > ================================================================== > BUG: KASAN: slab-out-of-bounds in __extract drivers/hid/hid-core.c:1345 > [inline] > BUG: KASAN: slab-out-of-bounds in hid_field_extract+0x150/0x170 > drivers/hid/hid-core.c:1365 > Read of size 1 at addr ffff8881cf50f000 by task swapper/0/0 Diagnostic patch. #syz test: https://github.com/google/kasan.git 1f22d15c Index: usb-devel/drivers/hid/hid-core.c =================================================================== --- usb-devel.orig/drivers/hid/hid-core.c +++ usb-devel/drivers/hid/hid-core.c @@ -1488,6 +1488,7 @@ static void hid_input_field(struct hid_d if (!value) return; + hid_info(hid, "Field offset %u size %u count %u\n", offset, size, count); for (n = 0; n < count; n++) { value[n] = min < 0 ? @@ -1712,6 +1713,7 @@ int hid_report_raw_event(struct hid_devi } if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { + hid_info(hid, "Report rsize %u csize %u\n", rsize, csize); for (a = 0; a < report->maxfield; a++) hid_input_field(hid, report->field[a], cdata, interrupt); hdrv = hid->driver;
