[BUG] KASAN: slab-out-of-bounds in select_usb_power_delivery_show

[Shuangpeng Bai]

Hi Kernel Maintainers,

I hit the following report while testing current upstream kernel:

KASAN: slab-out-of-bounds in select_usb_power_delivery_show

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/79c08ada299b3ae37b7a0af292ca413f

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[  102.318332] BUG: KASAN: slab-out-of-bounds in select_usb_power_delivery_show (drivers/usb/typec/class.c:1642)
[  102.319225] Read of size 8 at addr ffff888117d2f2c0 by task cat/8378
[  102.319943] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.319952] Call Trace:
[  102.320044]  select_usb_power_delivery_show (drivers/usb/typec/class.c:1642)
[  102.320066]  dev_attr_show (drivers/base/core.c:2421)
[  102.320081]  sysfs_kf_seq_show (fs/sysfs/file.c:65)
[  102.320085]  seq_read_iter (fs/seq_file.c:231)
[  102.320107]  vfs_read (fs/read_write.c:493 fs/read_write.c:574)
[  102.320140]  ksys_read (fs/read_write.c:717)
[  102.320146]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
[  102.320160]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
[  102.334419] Allocated by task 1129 on cpu 0 at 52.398062s:
[  102.336306]  tcpm_fw_get_caps (./include/linux/device/devres.h:59 ./include/linux/device/devres.h:63 drivers/usb/typec/tcpm/tcpm.c:7986)
[  102.336658]  tcpm_register_port (drivers/usb/typec/tcpm/tcpm.c:8519)
[  102.337014]  fusb302_probe (drivers/usb/typec/tcpm/fusb302.c:1759)
[  102.337349]  i2c_device_probe (drivers/i2c/i2c-core-base.c:591)
[  102.341175]  i2c_acpi_add_device (drivers/i2c/i2c-core-acpi.c:291 drivers/i2c/i2c-core-acpi.c:305)
[  102.342660]  i2c_register_adapter (drivers/i2c/i2c-core-base.c:1594)
[  102.343044]  i801_probe (drivers/i2c/busses/i2c-i801.c:1665)
[  102.347449] The buggy address belongs to the object at ffff888117d2f280
[  102.347449]  which belongs to the cache kmalloc-64 of size 64
[  102.348432] The buggy address is located 0 bytes to the right of
[  102.348432]  allocated 64-byte region [ffff888117d2f280, ffff888117d2f2c0)
[  102.376916] Kernel panic - not syncing: KASAN: panic_on_warn set ...


Best,
Shuangpeng