[BUG] i2c: i801: crash with NX fault after invalid SMBus block read

Next message: Michael S. Tsirkin: "Re: [PATCH] hwrng: virtio: reject invalid used.len from the device"
Previous message: Barry Song (Xiaomi): "[PATCH] mm/mglru: Use folio_mark_accessed to replace folio_set_active in PF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: 王志

Date: Sat Apr 18 2026 - 08:03:26 EST

Dear Maintainers,

We encountered a kernel crash in the i2c-i801 driver while fuzzing the upstream Linux kernel using a customized syzkaller.

Environment:
HEAD commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449
git tree: upstream

Logs:
Output: https://github.com/manual0/crash/blob/main/131112cd0834ef3b4db5a89cc5e3190858eb4898/report0
Kernel config: https://github.com/manual0/crash/blob/main/6.18-syzbot.config

Problem:
A malformed SMBus request triggers an invalid block read size:
i801_smbus: Illegal SMBus block read size 0
Shortly after, the kernel crashes with an NX fault:
BUG: unable to handle page fault (instruction fetch)
kernel tried to execute NX-protected page

Fault details:
RIP: secclass_map+0x165b/0x8dc0
CR2: ffffffff85ff85fb
error_code: 0x0011 (permissions violation)
The crash occurs during syscall return to userspace:
do_syscall_64
entry_SYSCALL_64_after_hwframe

Impact:
Malformed SMBus input from userspace can lead to kernel crash due to execution of a non-executable memory region.
Given that the fault is caused by an instruction fetch from an invalid address, this may indicate a corruption of
kernel control flow after handling the invalid SMBus request.

Notes:
We have not yet obtained a reliable reproducer, but the issue can be triggered under fuzzing workloads.

If this is fixed, please consider adding:
Reported-by: Zhi Wang wangzhi@xxxxxxxxxxxxxxxxx

Thanks,
Zhi Wang