[syzbot] [i2c?] KASAN: stack-out-of-bounds Write in i801_isr (3)
8 views
Skip to first unread message
syzbot
Mar 14, 2024, 7:17:23 AMMar 14
to andi....@kernel.org, jdel...@suse.com, linu...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 005f6f34bd47 Merge tag 'i2c-for-6.8-rc8' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16b0d556180000
kernel config: https://syzkaller.appspot.com/x/.config?x=9711c6169c49ef10
dashboard link: https://syzkaller.appspot.com/bug?extid=554a57aa65b47aa16a47
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-005f6f34.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8a1e40858f35/vmlinux-005f6f34.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9629bd1252c4/bzImage-005f6f34.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+554a57...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in i801_isr_byte_done drivers/i2c/busses/i2c-i801.c:550 [inline]
BUG: KASAN: stack-out-of-bounds in i801_isr drivers/i2c/busses/i2c-i801.c:617 [inline]
BUG: KASAN: stack-out-of-bounds in i801_isr+0xcfe/0xd10 drivers/i2c/busses/i2c-i801.c:598
Write of size 1 at addr ffffc900070dfd98 by task swapper/3/0
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.8.0-rc7-syzkaller-00238-g005f6f34bd47 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601
i801_isr_byte_done drivers/i2c/busses/i2c-i801.c:550 [inline]
i801_isr drivers/i2c/busses/i2c-i801.c:617 [inline]
i801_isr+0xcfe/0xd10 drivers/i2c/busses/i2c-i801.c:598
__handle_irq_event_percpu+0x22a/0x750 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
handle_fasteoi_irq+0x233/0xc20 kernel/irq/chip.c:720
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq arch/x86/kernel/irq.c:238 [inline]
__common_interrupt+0xde/0x250 arch/x86/kernel/irq.c:257
common_interrupt+0x52/0xd0 arch/x86/kernel/irq.c:247
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:__do_softirq+0x1e0/0x8e7 kernel/softirq.c:539
Code: 89 44 24 18 44 88 74 24 3b 48 c7 c7 c0 59 0b 8b e8 65 31 fc ff 65 66 c7 05 73 ac 3b 75 00 00 e8 d6 47 ca f6 fb bb ff ff ff ff <49> c7 c6 c0 a0 40 8d 41 0f bc dc 83 c3 01 0f 85 a7 00 00 00 e9 70
RSP: 0018:ffffc900008e8f30 EFLAGS: 00000206
RAX: 00000000007499e4 RBX: 00000000ffffffff RCX: 1ffffffff1f3a679
RDX: 0000000000000000 RSI: ffffffff8b0cb3c0 RDI: ffffffff8b6e9980
RBP: 0000000100013d6f R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8f9d6657 R11: 0000000000000000 R12: 0000000000000280
R13: 000000000000000a R14: 0000000000000001 R15: 0000000000000000
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:743
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d b3 5d 42 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc90000187e08 EFLAGS: 00000246
RAX: 00000000007499dd RBX: 0000000000000003 RCX: ffffffff8ac43eab
RDX: 0000000000000000 RSI: ffffffff8b0cb3c0 RDI: ffffffff8b6e9980
RBP: ffffed1002f51900 R08: 0000000000000001 R09: ffffed100d6a6ded
R10: ffff88806b536f6b R11: 0000000000000000 R12: 0000000000000003
R13: ffff888017a8c800 R14: ffffffff8f9d6650 R15: 0000000000000000
default_idle_call+0x69/0xa0 kernel/sched/idle.c:97
cpuidle_idle_call kernel/sched/idle.c:170 [inline]
do_idle+0x336/0x400 kernel/sched/idle.c:312
cpu_startup_entry+0x50/0x60 kernel/sched/idle.c:410
start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:336
secondary_startup_64_no_verify+0x170/0x17b
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc900070d8000, ffffc900070e1000) created by:
kernel_clone+0xfd/0x930 kernel/fork.c:2902
The buggy address belongs to the physical page:
page:ffffea0000c2b400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30ad0
memcg:ffff88810914d102
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88810914d102
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 11717, tgid 11717 (syz-executor.2), ts 1114592091976, free_ts 1114514350228
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
__alloc_pages+0x22c/0x2430 mm/page_alloc.c:4569
alloc_pages_mpol+0x258/0x600 mm/mempolicy.c:2133
vm_area_alloc_pages mm/vmalloc.c:3063 [inline]
__vmalloc_area_node mm/vmalloc.c:3139 [inline]
__vmalloc_node_range+0xa6e/0x1540 mm/vmalloc.c:3320
alloc_thread_stack_node kernel/fork.c:307 [inline]
dup_task_struct kernel/fork.c:1112 [inline]
copy_process+0x150b/0x97b0 kernel/fork.c:2327
kernel_clone+0xfd/0x930 kernel/fork.c:2902
__do_sys_clone3+0x1f5/0x270 kernel/fork.c:3203
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
page last free pid 5219 tgid 5219 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2346
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
__folio_put_small mm/swap.c:106 [inline]
__folio_put+0xc3/0x110 mm/swap.c:129
folio_put include/linux/mm.h:1494 [inline]
put_page include/linux/mm.h:1563 [inline]
free_page_and_swap_cache+0x25a/0x2d0 mm/swap_state.c:304
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:154 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:209
rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21c/0x8e7 kernel/softirq.c:553
Memory state around the buggy address:
ffffc900070dfc80: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00
ffffc900070dfd00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
>ffffc900070dfd80: 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00
^
ffffc900070dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
ffffc900070dfe80: f1 f1 00 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 89 44 24 18 mov %eax,0x18(%rsp)
4: 44 88 74 24 3b mov %r14b,0x3b(%rsp)
9: 48 c7 c7 c0 59 0b 8b mov $0xffffffff8b0b59c0,%rdi
10: e8 65 31 fc ff call 0xfffc317a
15: 65 66 c7 05 73 ac 3b movw $0x0,%gs:0x753bac73(%rip) # 0x753bac92
1c: 75 00 00
1f: e8 d6 47 ca f6 call 0xf6ca47fa
24: fb sti
25: bb ff ff ff ff mov $0xffffffff,%ebx
* 2a: 49 c7 c6 c0 a0 40 8d mov $0xffffffff8d40a0c0,%r14 <-- trapping instruction
31: 41 0f bc dc bsf %r12d,%ebx
35: 83 c3 01 add $0x1,%ebx
38: 0f 85 a7 00 00 00 jne 0xe5
3e: e9 .byte 0xe9
3f: 70 .byte 0x70
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 005f6f34bd47 Merge tag 'i2c-for-6.8-rc8' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16b0d556180000
kernel config: https://syzkaller.appspot.com/x/.config?x=9711c6169c49ef10
dashboard link: https://syzkaller.appspot.com/bug?extid=554a57aa65b47aa16a47
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-005f6f34.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8a1e40858f35/vmlinux-005f6f34.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9629bd1252c4/bzImage-005f6f34.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+554a57...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in i801_isr_byte_done drivers/i2c/busses/i2c-i801.c:550 [inline]
BUG: KASAN: stack-out-of-bounds in i801_isr drivers/i2c/busses/i2c-i801.c:617 [inline]
BUG: KASAN: stack-out-of-bounds in i801_isr+0xcfe/0xd10 drivers/i2c/busses/i2c-i801.c:598
Write of size 1 at addr ffffc900070dfd98 by task swapper/3/0
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.8.0-rc7-syzkaller-00238-g005f6f34bd47 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601
i801_isr_byte_done drivers/i2c/busses/i2c-i801.c:550 [inline]
i801_isr drivers/i2c/busses/i2c-i801.c:617 [inline]
i801_isr+0xcfe/0xd10 drivers/i2c/busses/i2c-i801.c:598
__handle_irq_event_percpu+0x22a/0x750 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
handle_fasteoi_irq+0x233/0xc20 kernel/irq/chip.c:720
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq arch/x86/kernel/irq.c:238 [inline]
__common_interrupt+0xde/0x250 arch/x86/kernel/irq.c:257
common_interrupt+0x52/0xd0 arch/x86/kernel/irq.c:247
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:__do_softirq+0x1e0/0x8e7 kernel/softirq.c:539
Code: 89 44 24 18 44 88 74 24 3b 48 c7 c7 c0 59 0b 8b e8 65 31 fc ff 65 66 c7 05 73 ac 3b 75 00 00 e8 d6 47 ca f6 fb bb ff ff ff ff <49> c7 c6 c0 a0 40 8d 41 0f bc dc 83 c3 01 0f 85 a7 00 00 00 e9 70
RSP: 0018:ffffc900008e8f30 EFLAGS: 00000206
RAX: 00000000007499e4 RBX: 00000000ffffffff RCX: 1ffffffff1f3a679
RDX: 0000000000000000 RSI: ffffffff8b0cb3c0 RDI: ffffffff8b6e9980
RBP: 0000000100013d6f R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8f9d6657 R11: 0000000000000000 R12: 0000000000000280
R13: 000000000000000a R14: 0000000000000001 R15: 0000000000000000
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:743
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d b3 5d 42 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc90000187e08 EFLAGS: 00000246
RAX: 00000000007499dd RBX: 0000000000000003 RCX: ffffffff8ac43eab
RDX: 0000000000000000 RSI: ffffffff8b0cb3c0 RDI: ffffffff8b6e9980
RBP: ffffed1002f51900 R08: 0000000000000001 R09: ffffed100d6a6ded
R10: ffff88806b536f6b R11: 0000000000000000 R12: 0000000000000003
R13: ffff888017a8c800 R14: ffffffff8f9d6650 R15: 0000000000000000
default_idle_call+0x69/0xa0 kernel/sched/idle.c:97
cpuidle_idle_call kernel/sched/idle.c:170 [inline]
do_idle+0x336/0x400 kernel/sched/idle.c:312
cpu_startup_entry+0x50/0x60 kernel/sched/idle.c:410
start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:336
secondary_startup_64_no_verify+0x170/0x17b
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc900070d8000, ffffc900070e1000) created by:
kernel_clone+0xfd/0x930 kernel/fork.c:2902
The buggy address belongs to the physical page:
page:ffffea0000c2b400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30ad0
memcg:ffff88810914d102
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88810914d102
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 11717, tgid 11717 (syz-executor.2), ts 1114592091976, free_ts 1114514350228
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
__alloc_pages+0x22c/0x2430 mm/page_alloc.c:4569
alloc_pages_mpol+0x258/0x600 mm/mempolicy.c:2133
vm_area_alloc_pages mm/vmalloc.c:3063 [inline]
__vmalloc_area_node mm/vmalloc.c:3139 [inline]
__vmalloc_node_range+0xa6e/0x1540 mm/vmalloc.c:3320
alloc_thread_stack_node kernel/fork.c:307 [inline]
dup_task_struct kernel/fork.c:1112 [inline]
copy_process+0x150b/0x97b0 kernel/fork.c:2327
kernel_clone+0xfd/0x930 kernel/fork.c:2902
__do_sys_clone3+0x1f5/0x270 kernel/fork.c:3203
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
page last free pid 5219 tgid 5219 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2346
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
__folio_put_small mm/swap.c:106 [inline]
__folio_put+0xc3/0x110 mm/swap.c:129
folio_put include/linux/mm.h:1494 [inline]
put_page include/linux/mm.h:1563 [inline]
free_page_and_swap_cache+0x25a/0x2d0 mm/swap_state.c:304
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:154 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:209
rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21c/0x8e7 kernel/softirq.c:553
Memory state around the buggy address:
ffffc900070dfc80: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00
ffffc900070dfd00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
>ffffc900070dfd80: 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00
^
ffffc900070dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
ffffc900070dfe80: f1 f1 00 f2 f2 f2 00 00 f3 f3 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 89 44 24 18 mov %eax,0x18(%rsp)
4: 44 88 74 24 3b mov %r14b,0x3b(%rsp)
9: 48 c7 c7 c0 59 0b 8b mov $0xffffffff8b0b59c0,%rdi
10: e8 65 31 fc ff call 0xfffc317a
15: 65 66 c7 05 73 ac 3b movw $0x0,%gs:0x753bac73(%rip) # 0x753bac92
1c: 75 00 00
1f: e8 d6 47 ca f6 call 0xf6ca47fa
24: fb sti
25: bb ff ff ff ff mov $0xffffffff,%ebx
* 2a: 49 c7 c6 c0 a0 40 8d mov $0xffffffff8d40a0c0,%r14 <-- trapping instruction
31: 41 0f bc dc bsf %r12d,%ebx
35: 83 c3 01 add $0x1,%ebx
38: 0f 85 a7 00 00 00 jne 0xe5
3e: e9 .byte 0xe9
3f: 70 .byte 0x70
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages