stack-out-of-bounds in edt_ft5x06
[ 14.855316] edt_ft5x06 2-0038: No GPIO consumer wake found
[ 14.862275] ==================================================================
[ 14.869529] BUG: KASAN: stack-out-of-bounds in _regmap_bus_read+0x144/0x1c0
[ 14.876534] Write of size 4 at addr ffff8000844679e0 by task kworker/u8:3/53
[ 14.885111] CPU: 1 PID: 53 Comm: kworker/u8:3 Not tainted 6.6.0-1-librem5 #1
[ 14.892179] Hardware name: Purism Librem 5r4 (DT)
[ 14.896902] Workqueue: events_unbound async_run_entry_fn
[ 14.902253] Call trace:
[ 14.904715] dump_backtrace+0xa0/0x128
[ 14.908493] show_stack+0x20/0x38
[ 14.911835] dump_stack_lvl+0x48/0x60
[ 14.915525] print_address_description.constprop.0+0x84/0x398
[ 14.921296] kasan_report+0x108/0x138
[ 14.924987] __asan_report_store4_noabort+0x20/0x30
[ 14.929894] _regmap_bus_read+0x144/0x1c0
[ 14.933930] _regmap_read+0xf0/0x458
[ 14.937527] regmap_read+0xb0/0x148
[ 14.941037] edt_ft5x06_ts_probe+0x678/0x2ec8 [edt_ft5x06]
[ 14.946592] i2c_device_probe+0x2dc/0x6e8
[ 14.950633] really_probe+0x334/0x9b0
[ 14.954323] __driver_probe_device+0x164/0x3d8
[ 14.958792] driver_probe_device+0x64/0x180
[ 14.963001] __driver_attach_async_helper+0xe0/0x240
[ 14.967990] async_run_entry_fn+0x98/0x3c0
[ 14.972116] process_one_work+0x4e4/0xe68
[ 14.976154] worker_thread+0x8c8/0xf70
[ 14.979935] kthread+0x2c0/0x350
[ 14.983190] ret_from_fork+0x10/0x20
[ 14.988296] The buggy address belongs to stack of task kworker/u8:3/53
[ 14.994841] and is located at offset 80 in frame:
[ 14.999645] edt_ft5x06_ts_probe+0x8/0x2ec8 [edt_ft5x06]
[ 15.006529] This frame has 4 objects:
[ 15.010206] [48, 52) 'val'
[ 15.010221] [64, 68) 'val'
[ 15.013026] [80, 82) 'chip_id'
[ 15.015835] [96, 119) 'rdbuf'
[ 15.023548] The buggy address belongs to the virtual mapping at
[ffff800084460000, ffff800084469000) created by:
kernel_clone+0x12c/0x790
[ 15.040386] The buggy address belongs to the physical page:
[ 15.045969] page:000000005ad3d089 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x422d2
[ 15.045984] flags: 0x0(zone=0)
[ 15.045995] page_type: 0xffffffff()
[ 15.046012] raw: 0000000000000000 0000000000000000 dead000000000122 0000000000000000
[ 15.046027] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 15.046036] page dumped because: kasan: bad access detected
[ 15.047544] Memory state around the buggy address:
[ 15.052345] ffff800084467880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 15.052356] ffff800084467900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 15.052365] >ffff800084467980: 00 00 f1 f1 f1 f1 f1 f1 04 f2 04 f2 02 f2 00 00
[ 15.052372] ^
[ 15.052380] ffff800084467a00: 07 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
[ 15.052388] ffff800084467a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 15.052395] ==================================================================
[ 15.056349] Disabling lock debugging due to kernel taint
[ 15.074399] ==================================================================
[ 15.109717] BUG: KASAN: stack-out-of-bounds in _regmap_bus_read+0x144/0x1c0
[ 15.109752] Write of size 4 at addr ffff8000844679e1 by task kworker/u8:3/53
[ 15.109772] CPU: 1 PID: 53 Comm: kworker/u8:3 Tainted: G B 6.6.0-1-librem5 #1
[ 15.109785] Hardware name: Purism Librem 5r4 (DT)
[ 15.109795] Workqueue: events_unbound async_run_entry_fn
[ 15.109819] Call trace:
[ 15.109824] dump_backtrace+0xa0/0x128
[ 15.109842] show_stack+0x20/0x38
[ 15.109857] dump_stack_lvl+0x48/0x60
[ 15.109874] print_address_description.constprop.0+0x84/0x398
[ 15.109889] kasan_report+0x108/0x138
[ 15.109900] __asan_report_store4_noabort+0x20/0x30
[ 15.109915] _regmap_bus_read+0x144/0x1c0
[ 15.109927] _regmap_read+0xf0/0x458
[ 15.109938] regmap_read+0xb0/0x148
[ 15.109948] edt_ft5x06_ts_probe+0x688/0x2ec8 [edt_ft5x06]
[ 15.109999] i2c_device_probe+0x2dc/0x6e8
[ 15.110015] really_probe+0x334/0x9b0
[ 15.110030] __driver_probe_device+0x164/0x3d8
[ 15.110043] driver_probe_device+0x64/0x180
[ 15.110056] __driver_attach_async_helper+0xe0/0x240
[ 15.110071] async_run_entry_fn+0x98/0x3c0
[ 15.110083] process_one_work+0x4e4/0xe68
[ 15.110099] worker_thread+0x8c8/0xf70
[ 15.110113] kthread+0x2c0/0x350
[ 15.110127] ret_from_fork+0x10/0x20
[ 15.110146] The buggy address belongs to stack of task kworker/u8:3/53
[ 15.110153] and is located at offset 81 in frame:
[ 15.110158] edt_ft5x06_ts_probe+0x8/0x2ec8 [edt_ft5x06]
[ 15.110203] This frame has 4 objects:
[ 15.110211] [48, 52) 'val'
[ 15.110218] [64, 68) 'val'
[ 15.110226] [80, 82) 'chip_id'
[ 15.110233] [96, 119) 'rdbuf'
[ 15.110247] The buggy address belongs to the virtual mapping at
[ffff800084460000, ffff800084469000) created by:
kernel_clone+0x12c/0x790
[ 15.110271] The buggy address belongs to the physical page:
[ 15.110278] page:000000005ad3d089 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x422d2
[ 15.110293] flags: 0x0(zone=0)
[ 15.110303] page_type: 0xffffffff()
[ 15.110316] raw: 0000000000000000 0000000000000000 dead000000000122 0000000000000000
[ 15.110326] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 15.110333] page dumped because: kasan: bad access detected
[ 15.110341] Memory state around the buggy address:
[ 15.110349] ffff800084467880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 15.110358] ffff800084467900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 15.110366] >ffff800084467980: 00 00 f1 f1 f1 f1 f1 f1 04 f2 04 f2 02 f2 00 00
[ 15.110372] ^
[ 15.110380] ffff800084467a00: 07 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
[ 15.110389] ffff800084467a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 15.110395] ==================================================================
[ 15.117721] edt_ft5x06 2-0038: verify id:0x8622
[ 15.117753] edt_ft5x06 2-0038: get ic information, chip id = 0x8622Edited by Sebastian Krzyszkowiak