| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <57493af0.akIr4abjopweDkBu%fengguang.wu@intel.com>
Date: Sat, 28 May 2016 14:30:08 +0800
From: kernel test robot <fengguang.wu@...el.com>
To: Erico Nunes <erico.nunes@...acom.ind.br>
Cc: LKP <lkp@...org>, linux-kernel@...r.kernel.org,
linux-i2c@...r.kernel.org, Wolfram Sang <wsa@...-dreams.de>,
wfg@...ux.intel.com
Subject: [i2c: dev] d6760b14d4: BUG: KASAN: slab-out-of-bounds in
of_device_uevent at addr ffff8800091b4c49
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit d6760b14d4a1243f918d983bba1e35c5a5cd5a6d
Author: Erico Nunes <erico.nunes@...acom.ind.br>
AuthorDate: Tue May 3 15:45:43 2016 -0300
Commit: Wolfram Sang <wsa@...-dreams.de>
CommitDate: Thu May 26 21:18:57 2016 +0200
i2c: dev: switch from register_chrdev to cdev API
i2c-dev had never moved away from the older register_chrdev interface to
implement its char device registration. The register_chrdev API has the
limitation of enabling only up to 256 i2c-dev busses to exist.
Large platforms with lots of i2c devices (i.e. pluggable transceivers)
with dedicated busses may have to exceed that limit.
In particular, there are also platforms making use of the i2c bus
multiplexing API, which instantiates a virtual bus for each possible
multiplexed selection.
This patch removes the register_chrdev usage and replaces it with the
less old cdev API, which takes away the 256 i2c-dev bus limitation.
It should not have any other impact for i2c bus drivers or user space.
This patch has been tested on qemu x86 and qemu powerpc platforms with
the aid of a module which adds and removes 5000 virtual i2c busses, as
well as validated on an existing powerpc hardware platform which makes
use of the i2c bus multiplexing API.
i2c-dev busses with device minor numbers larger than 256 have also been
validated to work with the existing i2c-tools.
Signed-off-by: Erico Nunes <erico.nunes@...acom.ind.br>
[wsa: kept includes sorted]
Signed-off-by: Wolfram Sang <wsa@...-dreams.de>
+------------------------------------------------------------------+------------+------------+------------+
| | e3879e4f31 | d6760b14d4 | c5311a944e |
+------------------------------------------------------------------+------------+------------+------------+
| boot_successes | 0 | 0 | 0 |
| boot_failures | 96 | 27 | 21 |
| BUG:KASAN:slab-out-of-bounds_in_of_device_uevent_at_addr | 94 | 27 | 21 |
| backtrace:of_unittest | 94 | 27 | 21 |
| backtrace:kernel_init_freeable | 96 | 27 | 21 |
| INFO:suspicious_RCU_usage | 2 | | |
| backtrace:rcu_torture_writer | 2 | | |
| INFO:rcu_sched_self-detected_stall_on_CPU | 1 | | |
| INFO:rcu_sched_detected_stalls_on_CPUs/tasks | 1 | | |
| backtrace:__pci_register_driver | 1 | | |
| backtrace:virtio_pci_driver_init | 1 | | |
| invoked_oom-killer:gfp_mask=0x | 2 | | |
| Mem-Info | 2 | | |
| Kernel_panic-not_syncing:Out_of_memory_and_no_killable_processes | 2 | | |
| backtrace:vfs_write | 2 | | |
| backtrace:SyS_write | 2 | | |
| backtrace:populate_rootfs | 2 | | |
| BUG:KASAN:use-after-free_in_cdev_del_at_addr | 0 | 26 | 21 |
| BUG:KASAN:use-after-free_in_kobject_put_at_addr | 0 | 25 | 21 |
| BUG:KASAN:use-after-free_in_cdev_default_release_at_addr | 0 | 21 | 20 |
| BUG:KASAN:use-after-free_in_cdev_purge_at_addr | 0 | 21 | 20 |
+------------------------------------------------------------------+------------+------------+------------+
[ 70.613944] /testcase-data/phandle-tests/consumer-a: arguments longer than property
[ 70.622462] irq: no irq domain found for /testcase-data/interrupts/intc0 !
[ 70.755208] ==================================================================
[ 70.757418] BUG: KASAN: slab-out-of-bounds in of_device_uevent+0x1c9/0x2dc at addr ffff8800091b4c49
[ 70.759372] Read of size 1 by task swapper/0/1
[ 70.764683] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-10859-gd6760b1 #1
[ 70.772916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
[ 70.774885] 0000000000000000 ffff88000999f350 ffffffff8a49bf09 ffffffff00000009
[ 70.777048] ffff880009800100 ffffed0001236989 ffff8800091b4c40 ffff88000999f3c8
[ 70.779212] ffffffff89e60664 ffffffff8ada9499 0000000000000286 ffff88000999f3a0
[ 70.781323] Call Trace:
[ 70.791845] [<ffffffff8a49bf09>] dump_stack+0x148/0x1e2
[ 70.793055] [<ffffffff89e60664>] kasan_report+0x2ea/0x515
[ 70.798326] [<ffffffff8ada9499>] ? of_device_uevent+0x1c9/0x2dc
[ 70.800646] [<ffffffff8ada5247>] ? of_find_property+0x4d/0x58
[ 70.801874] [<ffffffff89e5ff6f>] __asan_load1+0x45/0x47
[ 70.813884] [<ffffffff8ada9499>] of_device_uevent+0x1c9/0x2dc
[ 70.815115] [<ffffffff8ada92d0>] ? of_device_get_modalias+0x26f/0x26f
[ 70.820197] [<ffffffff8a4ae85a>] ? vsnprintf+0x9cd/0x9ff
[ 70.821433] [<ffffffff8a790cf0>] dev_uevent+0x2ad/0x4ee
[ 70.829809] [<ffffffff8a790a43>] ? device_get_devnode+0x19b/0x19b
[ 70.834311] [<ffffffff8a4a1916>] ? add_uevent_var+0x1c1/0x1f0
[ 70.835635] [<ffffffff8a4a1755>] ? kobject_action_type+0xf6/0xf6
[ 70.847664] [<ffffffff8a4a93fc>] ? strncpy+0x33/0x51
[ 70.848768] [<ffffffff8a790a43>] ? device_get_devnode+0x19b/0x19b
[ 70.850118] [<ffffffff8a4a1d06>] kobject_uevent_env+0x3c1/0x895
[ 70.860750] [<ffffffff8a4a21fc>] kobject_uevent+0x22/0x24
[ 70.861960] [<ffffffff8a792ffd>] device_add+0x606/0xaa9
[ 70.894054] [<ffffffff8a7929f7>] ? dev_warn+0xfa/0xfa
[ 70.895478] [<ffffffff8ada999b>] ? of_device_make_bus_id+0x198/0x198
[ 70.900209] [<ffffffff89d44723>] ? trace_hardirqs_on_caller+0x27d/0x2c4
[ 70.906060] [<ffffffff8ada8c55>] of_device_add+0xa3/0xaa
[ 70.907678] [<ffffffff8ada9d2c>] of_platform_device_create_pdata+0xd5/0x10a
[ 70.909768] [<ffffffff8adaa1cd>] of_platform_device_create+0x2b/0x30
[ 70.921685] [<ffffffff8adaa2de>] of_platform_notify+0x10c/0x1df
[ 70.923298] [<ffffffff8adaa1d2>] ? of_platform_device_create+0x30/0x30
[ 70.929593] [<ffffffff89d48f1c>] ? lock_acquire+0xd4/0x11c
[ 70.931112] [<ffffffff89d48f1c>] ? lock_acquire+0xd4/0x11c
[ 70.951893] [<ffffffff89d0472a>] ? __blocking_notifier_call_chain+0x52/0x88
[ 70.961551] [<ffffffff89d042de>] notifier_call_chain+0x75/0xbc
[ 70.966243] [<ffffffff89d04740>] __blocking_notifier_call_chain+0x68/0x88
[ 70.968020] [<ffffffff89d04790>] blocking_notifier_call_chain+0x30/0x32
[ 70.969607] [<ffffffff8adaa990>] of_reconfig_notify+0x24/0x4a
[ 70.970835] [<ffffffff8adaae4a>] __of_changeset_entry_notify+0x14a/0x1f3
[ 70.972343] [<ffffffff8adaad00>] ? of_property_notify+0xe0/0xe0
[ 70.975869] [<ffffffff8af5ca06>] ? __mutex_unlock_slowpath+0x2a4/0x2cc
[ 70.982674] [<ffffffff8af5c762>] ? wait_for_completion_killable_timeout+0x10/0x10
[ 70.984549] [<ffffffff8adabf49>] __of_changeset_apply+0x19c/0x21c
[ 70.990166] [<ffffffff8adabf49>] ? __of_changeset_apply+0x19c/0x21c
[ 70.991479] [<ffffffff8adabdad>] ? of_changeset_destroy+0xce/0xce
[ 70.996828] [<ffffffff89d44777>] ? trace_hardirqs_on+0xd/0xf
[ 70.998377] [<ffffffff8ada59b5>] ? of_get_next_child+0x42/0x4c
[ 71.003005] [<ffffffff8adb4311>] of_overlay_create+0x4ee/0x5fc
[ 71.004872] [<ffffffff8adb4311>] ? of_overlay_create+0x4ee/0x5fc
[ 71.006479] [<ffffffff8adb3e23>] ? of_overlay_apply_one+0x2ff/0x2ff
[ 71.016412] [<ffffffff89d44723>] ? trace_hardirqs_on_caller+0x27d/0x2c4
[ 71.017791] [<ffffffff89d44777>] ? trace_hardirqs_on+0xd/0xf
[ 71.022493] [<ffffffff8ada5de8>] ? of_find_node_opts_by_path+0x2e6/0x2f8
[ 71.024266] [<ffffffff8ae88571>] of_unittest_apply_overlay+0x76/0xf4
[ 71.028045] [<ffffffff8ae88692>] of_unittest_apply_overlay_check+0xa3/0x13b
[ 71.029540] [<ffffffff8ce573c7>] of_unittest+0x2772/0x3480
[ 71.030788] [<ffffffff8ce54c55>] ? of_unittest_check_tree_linkage+0x158/0x158
[ 71.032654] [<ffffffff8a4a0834>] ? kobject_add_internal+0x4e6/0x4e6
[ 71.034051] [<ffffffff8a4a21fc>] ? kobject_uevent+0x22/0x24
[ 71.035278] [<ffffffff8a4a0a78>] ? kset_register+0x4e/0x56
[ 71.036509] [<ffffffff8cdd2bae>] ? set_debug_rodata+0x20/0x20
[ 71.037812] [<ffffffff8ae8818f>] ? add_sysfs_fw_map_entry+0xce/0xd6
[ 71.043278] [<ffffffff8ce54c55>] ? of_unittest_check_tree_linkage+0x158/0x158
[ 71.045152] [<ffffffff8cdd2bae>] ? set_debug_rodata+0x20/0x20
[ 71.056264] [<ffffffff8cdd373a>] do_one_initcall+0x114/0x252
[ 71.057549] [<ffffffff8cdd3626>] ? start_kernel+0x637/0x637
[ 71.065513] [<ffffffff8cdd2c40>] ? repair_env_string+0x92/0x9d
[ 71.066841] [<ffffffff89d01df7>] ? parse_args+0x5a6/0x5b9
[ 71.070327] [<ffffffff8cdd2bae>] ? set_debug_rodata+0x20/0x20
[ 71.075364] [<ffffffff8cdd3a6b>] kernel_init_freeable+0x1f3/0x2ab
[ 71.076718] [<ffffffff8af4e186>] kernel_init+0x11/0x15c
[ 71.077922] [<ffffffff8af6354f>] ret_from_fork+0x1f/0x40
[ 71.085098] [<ffffffff8af4e175>] ? rest_init+0x17c/0x17c
[ 71.086576] Object at ffff8800091b4c40, in cache kmalloc-32
[ 71.088079] Object allocated with size 9 bytes.
[ 71.089348] Allocation:
[ 71.090224] PID = 1
[ 71.091019] [<ffffffff89c3bfbf>] save_stack_trace+0x26/0x41
[ 71.092508] [<ffffffff89e5f5b6>] kasan_kmalloc+0x80/0x10c
[ 71.093881] [<ffffffff89e5fbd2>] kasan_kmalloc+0x85/0x91
[ 71.095157] [<ffffffff89e5d787>] __kmalloc_track_caller+0x1b5/0x1c9
[ 71.096776] [<ffffffff89e134da>] kmemdup+0x24/0x4e
[ 71.098287] [<ffffffff8adab9df>] __of_prop_dup+0xe0/0x169
[ 71.101716] [<ffffffff8adb3bf6>] of_overlay_apply_one+0xd2/0x2ff
[ 71.109820] [<ffffffff8adb3dac>] of_overlay_apply_one+0x288/0x2ff
[ 71.118779] [<ffffffff8adb42a9>] of_overlay_create+0x486/0x5fc
[ 71.120137] [<ffffffff8ae88571>] of_unittest_apply_overlay+0x76/0xf4
[ 71.122042] [<ffffffff8ae88692>] of_unittest_apply_overlay_check+0xa3/0x13b
[ 71.127825] [<ffffffff8ce573c7>] of_unittest+0x2772/0x3480
[ 71.129106] [<ffffffff8cdd373a>] do_one_initcall+0x114/0x252
[ 71.131270] [<ffffffff8cdd3a6b>] kernel_init_freeable+0x1f3/0x2ab
[ 71.133851] [<ffffffff8af4e186>] kernel_init+0x11/0x15c
[ 71.135085] [<ffffffff8af6354f>] ret_from_fork+0x1f/0x40
[ 71.136492] Memory state around the buggy address:
[ 71.146901] ffff8800091b4b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[ 71.156678] ffff8800091b4b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
git bisect start c5311a944e65241db0c1d6777ba8dc678e4b95ce 2dcd0af568b0cf583645c8a317dd12e344b1c72a --
git bisect good 165884dee0c0ca098e86853542e5a66aebea1882 # 12:12 21+ 25 Merge 'sound/for-next' into devel-spot-201605281009
git bisect bad 2eb9daf8a36c42f56363126db4d0951ae268d1f2 # 12:21 0- 21 Merge 'linux-review/William-Wu/support-rockchip-dwc3-driver/20160527-193349' into devel-spot-201605281009
git bisect good 9f550046a4a630521250f8c888c5e0d4338d2fa8 # 12:35 22+ 24 Merge 'linux-review/Javier-Martinez-Canillas/mwifiex-Fix-some-error-handling-issues-in-mwifiex_sdio_probe-function/20160527-222338' into devel-spot-201605281009
git bisect bad 34b019584b93b0815e3fd335d261eac21034c067 # 12:54 0- 22 Merge 'drm-intel/drm-intel-nightly' into devel-spot-201605281009
git bisect good 025de5b31b692cd182c8c1ca85f40f9a1be76cca # 13:10 22+ 22 Merge 'linux-review/Srinivas-Kandagatla/ASoC-msm8916-Add-codec-Device-Tree-bindings/20160527-215246' into devel-spot-201605281009
git bisect bad 4301b354cf48a772cdd27ae07c7f17240f202dfe # 13:19 4- 14 Merge 'linux-review/Shardar-Shariff-Md/i2c-tegra-use-readx_poll_timeout-after-config_load-reg-programmed/20160527-215125' into devel-spot-201605281009
git bisect good 67fed0da5ac23ab6187c362b7ade08339872f718 # 13:30 22+ 24 i2c: at91: change log when dma configuration fails
git bisect bad d6760b14d4a1243f918d983bba1e35c5a5cd5a6d # 13:46 1- 4 i2c: dev: switch from register_chrdev to cdev API
git bisect good e3879e4f3179121b1b59fd0033379d0ee700dead # 13:54 22+ 26 i2c: xlr: rename ARCH_TANGOX to ARCH_TANGO
# first bad commit: [d6760b14d4a1243f918d983bba1e35c5a5cd5a6d] i2c: dev: switch from register_chrdev to cdev API
git bisect good e3879e4f3179121b1b59fd0033379d0ee700dead # 14:03 70+ 96 i2c: xlr: rename ARCH_TANGOX to ARCH_TANGO
# extra tests with CONFIG_DEBUG_INFO_REDUCED
git bisect bad d6760b14d4a1243f918d983bba1e35c5a5cd5a6d # 14:09 0- 12 i2c: dev: switch from register_chrdev to cdev API
# extra tests on HEAD of linux-devel/devel-spot-201605281009
git bisect bad c5311a944e65241db0c1d6777ba8dc678e4b95ce # 14:10 0- 21 0day head guard for 'devel-spot-201605281009'
# extra tests on tree/branch linus/master
git bisect bad ed2608faa0f701b1dbc65277a9e5c7ff7118bfd4 # 14:21 0- 3 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
# extra tests on tree/branch linus/master
git bisect bad ed2608faa0f701b1dbc65277a9e5c7ff7118bfd4 # 14:21 0- 29 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
# extra tests on tree/branch linux-next/master
git bisect bad b5631e1f2c1c8bac5bc866d4a7f8c6f415cae9e9 # 14:29 0- 22 Add linux-next specific files for 20160527
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-vm-kbuild-yocto-x86_64-34:20160528134626:x86_64-randconfig-s5-05281135:4.6.0-10859-gd6760b1:1.gz" of type "application/gzip" (59588 bytes)
Download attachment "dmesg-quantal-intel12-10:20160528135445:x86_64-randconfig-s5-05281135:4.6.0-10858-ge3879e4:1.gz" of type "application/gzip" (58230 bytes)
View attachment "config-4.6.0-10859-gd6760b1" of type "text/plain" (90580 bytes)
Powered by blists - more mailing lists