| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1466155518.9422.41.camel@intel.com>
Date: Fri, 17 Jun 2016 17:25:18 +0800
From: Zhang Rui <rui.zhang@...el.com>
To: kernel test robot <xiaolong.ye@...el.com>,
Eduardo Valentin <edubezval@...il.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
Stephen Rothwell <sfr@...b.auug.org.au>, lkp@...org
Subject: Re: [lkp] [thermal] 24bc2fa031: BUG: KASAN: slab-out-of-bounds in
thermal_zone_device_register+0x749/0x10a0 at addr ffff880000134140
On 四, 2016-06-16 at 09:27 +0800, kernel test robot wrote:
> FYI, we noticed the following commit:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
> master
> commit 24bc2fa031f094c05c017a862732924cb46ad2c1 ("thermal: core: move
> trips attributes to tz->device.groups")
>
this should be fixed in the latest thermal -next branch, by the
following refreshed patch,
thanks,
rui
>From e1e917e790b70b88bd418545a29b1eefa01a5566 Mon Sep 17 00:00:00 2001
From: Eduardo Valentin <edubezval@...il.com>
Date: Mon, 30 May 2016 23:18:21 -0700
Subject: [PATCH] thermal: core: move trips attributes to tz->device.groups
Finally, move the last thermal zone sysfs attributes to
tz->device.groups: trips attributes. This requires adding a
attribute_group to thermal_zone_device, creating it dynamically, and
then setting all trips attributes in it. The trips attribute is then
added to the tz->device.groups.
As the removal of all attributes are handled by device core, the device
remove calls are not needed anymore.
Cc: Zhang Rui <rui.zhang@...el.com>
Cc: linux-pm@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
Signed-off-by: Eduardo Valentin <edubezval@...il.com>
Signed-off-by: Zhang Rui <rui.zhang@...el.com>
---
drivers/thermal/thermal_core.c | 78 ++++++++++++++++++++++--------------------
include/linux/thermal.h | 2 ++
2 files changed, 42 insertions(+), 38 deletions(-)
diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 657ba02..9926c89 100644
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -1188,8 +1188,9 @@ static const struct attribute_group *thermal_zone_attribute_groups[] = {
*/
static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
{
- int indx;
int size = sizeof(struct thermal_attr) * tz->trips;
+ struct attribute **attrs;
+ int indx;
tz->trip_type_attrs = kzalloc(size, GFP_KERNEL);
if (!tz->trip_type_attrs)
@@ -1210,6 +1211,15 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
}
}
+ attrs = kzalloc(sizeof(*attrs) * tz->trips * 3 + 1, GFP_KERNEL);
+ if (!attrs) {
+ kfree(tz->trip_type_attrs);
+ kfree(tz->trip_temp_attrs);
+ if (tz->ops->get_trip_hyst)
+ kfree(tz->trip_hyst_attrs);
+ return -ENOMEM;
+ }
+
for (indx = 0; indx < tz->trips; indx++) {
/* create trip type attribute */
snprintf(tz->trip_type_attrs[indx].name, THERMAL_NAME_LENGTH,
@@ -1220,9 +1230,7 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
tz->trip_type_attrs[indx].name;
tz->trip_type_attrs[indx].attr.attr.mode = S_IRUGO;
tz->trip_type_attrs[indx].attr.show = trip_point_type_show;
-
- device_create_file(&tz->device,
- &tz->trip_type_attrs[indx].attr);
+ attrs[indx] = &tz->trip_type_attrs[indx].attr.attr;
/* create trip temp attribute */
snprintf(tz->trip_temp_attrs[indx].name, THERMAL_NAME_LENGTH,
@@ -1239,9 +1247,7 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
tz->trip_temp_attrs[indx].attr.store =
trip_point_temp_store;
}
-
- device_create_file(&tz->device,
- &tz->trip_temp_attrs[indx].attr);
+ attrs[indx + tz->trips] = &tz->trip_temp_attrs[indx].attr.attr;
/* create Optional trip hyst attribute */
if (!tz->ops->get_trip_hyst)
@@ -1259,45 +1265,39 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
tz->trip_hyst_attrs[indx].attr.store =
trip_point_hyst_store;
}
-
- device_create_file(&tz->device,
- &tz->trip_hyst_attrs[indx].attr);
+ attrs[indx + tz->trips * 2] =
+ &tz->trip_hyst_attrs[indx].attr.attr;
}
- return 0;
-}
+ attrs[tz->trips * 3] = NULL;
-static void remove_trip_attrs(struct thermal_zone_device *tz)
-{
- int indx;
+ tz->trips_attribute_group.attrs = attrs;
- for (indx = 0; indx < tz->trips; indx++) {
- device_remove_file(&tz->device,
- &tz->trip_type_attrs[indx].attr);
- device_remove_file(&tz->device,
- &tz->trip_temp_attrs[indx].attr);
- if (tz->ops->get_trip_hyst)
- device_remove_file(&tz->device,
- &tz->trip_hyst_attrs[indx].attr);
- }
- kfree(tz->trip_type_attrs);
- kfree(tz->trip_temp_attrs);
- kfree(tz->trip_hyst_attrs);
+ return 0;
}
-static int thermal_zone_create_device_groups(struct thermal_zone_device *tz)
+static int thermal_zone_create_device_groups(struct thermal_zone_device *tz,
+ int mask)
{
const struct attribute_group **groups;
- int i, size;
+ int i, size, result;
- size = ARRAY_SIZE(thermal_zone_attribute_groups) + 1;
+ /* we need one extra for trips and the NULL to terminate the array */
+ size = ARRAY_SIZE(thermal_zone_attribute_groups) + 2;
/* This also takes care of API requirement to be NULL terminated */
groups = kcalloc(size, sizeof(*groups), GFP_KERNEL);
if (!groups)
return -ENOMEM;
- for (i = 0; i < size - 1; i++)
+ for (i = 0; i < size - 2; i++)
groups[i] = thermal_zone_attribute_groups[i];
+ if (tz->trips) {
+ result = create_trip_attrs(tz, mask);
+ if (result)
+ return result;
+ groups[size - 2] = &tz->trips_attribute_group;
+ }
+
tz->device.groups = groups;
return 0;
@@ -1934,8 +1934,12 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
tz->passive_delay = passive_delay;
tz->polling_delay = polling_delay;
+ /* sys I/F */
/* Add nodes that are always present via .groups */
- thermal_zone_create_device_groups(tz);
+ result = thermal_zone_create_device_groups(tz, mask);
+ if (result)
+ goto unregister;
+
/* A new thermal zone needs to be updated anyway. */
atomic_set(&tz->need_update, 1);
@@ -1947,11 +1951,6 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
return ERR_PTR(result);
}
- /* sys I/F */
- result = create_trip_attrs(tz, mask);
- if (result)
- goto unregister;
-
for (count = 0; count < trips; count++) {
if (tz->ops->get_trip_type(tz, count, &trip_type))
set_bit(count, &tz->trips_disabled);
@@ -2056,7 +2055,10 @@ void thermal_zone_device_unregister(struct thermal_zone_device *tz)
thermal_zone_device_set_polling(tz, 0);
- remove_trip_attrs(tz);
+ kfree(tz->trip_type_attrs);
+ kfree(tz->trip_temp_attrs);
+ kfree(tz->trip_hyst_attrs);
+ kfree(tz->trips_attribute_group.attrs);
thermal_set_governor(tz, NULL);
thermal_remove_hwmon_sysfs(tz);
diff --git a/include/linux/thermal.h b/include/linux/thermal.h
index ee517be..580809c 100644
--- a/include/linux/thermal.h
+++ b/include/linux/thermal.h
@@ -28,6 +28,7 @@
#include <linux/of.h>
#include <linux/idr.h>
#include <linux/device.h>
+#include <linux/sysfs.h>
#include <linux/workqueue.h>
#include <uapi/linux/thermal.h>
@@ -187,6 +188,7 @@ struct thermal_zone_device {
int id;
char type[THERMAL_NAME_LENGTH];
struct device device;
+ struct attribute_group trips_attribute_group;
struct thermal_attr *trip_temp_attrs;
struct thermal_attr *trip_type_attrs;
struct thermal_attr *trip_hyst_attrs;
--
2.7.4
>
> on test machine: vm-lkp-wsx03-quantal-x86_64: 2 threads qemu-system-
> x86_64 -enable-kvm -cpu Haswell,+smep,+smap with 360M memory
>
> caused below changes:
>
>
> +------------------------------------------------------------------
> ----+------------+------------+
> >
> >
> > | 79f34853ba | 24bc2fa031 |
> +------------------------------------------------------------------
> ----+------------+------------+
> >
> > boot_successes
> > | 2 | 0 |
> > boot_failures
> > | 6 | 8 |
> > IP-Config:Auto-
> > configuration_of_network_failed |
> > 6 | 4 |
> > BUG:KASAN:slab-out-of-
> > bounds_in_thermal_zone_device_register_at_addr | 0 |
> > 8 |
> > BUG:KASAN:slab-out-of-
> > bounds_in_internal_create_group_at_addr | 0 |
> > 8 |
> > backtrace:power_supply_register
> > | 0 | 8 |
> > backtrace:test_power_init
> > | 0 | 8 |
> > backtrace:kernel_init_freeable
> > | 0 | 8 |
> +------------------------------------------------------------------
> ----+------------+------------+
>
>
>
> [ 7.103767] __power_supply_register: Expected proper parent device
> for 'test_ac'
> [ 7.105699] __power_supply_register: Expected proper parent device
> for 'test_battery'
> [ 7.108318]
> ==================================================================
> [ 7.109325] BUG: KASAN: slab-out-of-bounds in
> thermal_zone_device_register+0x749/0x10a0 at addr ffff880000134140
> [ 7.110709] Write of size 8 by task swapper/1
> [ 7.111312] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-rc3-
> 00014-g24bc2fa0 #1
> [ 7.112309] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS Debian-1.8.2-1 04/01/2014
> [ 7.113506] ffff880000134160 ffff880010897b58 ffffffff817356d9
> ffff880010897bd8
> [ 7.114588] ffffffff811ebffc 0000000000000000 0000000000000000
> 0000000000000297
> [ 7.115652] ffffffff811eadf5 ffff88000013415f 1ffff1000002682c
> ffff880010897bd8
> [ 7.116720] Call Trace:
> [ 7.117080] [<ffffffff817356d9>] dump_stack+0x19/0x20
> [ 7.117777] [<ffffffff811ebffc>] kasan_report_error+0x1ec/0x5a0
> [ 7.118598] [<ffffffff811eadf5>] ?
> kasan_unpoison_shadow+0x35/0x50
> [ 7.119454] [<ffffffff811eb4a9>] ? kasan_kmalloc+0xd9/0x100
> [ 7.120239] [<ffffffff811ec3e3>] kasan_report+0x33/0x40
> [ 7.120967] [<ffffffff81d44e39>] ?
> thermal_zone_device_register+0x749/0x10a0
> [ 7.121949] [<ffffffff811ebc81>] __asan_store8+0x61/0x70
> [ 7.122699] [<ffffffff81d44e39>]
> thermal_zone_device_register+0x749/0x10a0
> [ 7.123646] [<ffffffff81d446f0>] ?
> thermal_notify_framework+0x10/0x10
> [ 7.124545] [<ffffffff818f0640>] ? dev_warn+0xe0/0xe0
> [ 7.125259] [<ffffffff821c5d49>] ? _raw_spin_unlock_irq+0x9/0x20
> [ 7.126104] [<ffffffff8190959c>] ?
> device_wakeup_enable+0xbc/0x110
> [ 7.126956] [<ffffffff81ca1179>]
> __power_supply_register+0x5c9/0x700
> [ 7.127840] [<ffffffff81ca185e>] power_supply_register+0xe/0x10
> [ 7.128663] [<ffffffff83269716>] test_power_init+0x35/0xeb
> [ 7.129433] [<ffffffff832696e1>] ?
> wm8350_power_driver_init+0x14/0x14
> [ 7.130328] [<ffffffff832222cd>] do_one_initcall+0xef/0x1a1
> [ 7.131111] [<ffffffff83221aae>] ? repair_env_string+0x2f/0x73
> [ 7.131912] [<ffffffff832221de>] ? start_kernel+0x447/0x447
> [ 7.132689] [<ffffffff810fca00>] ? parameq+0xa0/0xa0
> [ 7.133385] [<ffffffff83221a7f>] ? set_debug_rodata+0x12/0x12
> [ 7.134192] [<ffffffff83222516>] kernel_init_freeable+0x197/0x228
> [ 7.135042] [<ffffffff821b4d2e>] kernel_init+0xe/0x110
> [ 7.135751] [<ffffffff821c629f>] ret_from_fork+0x1f/0x40
> [ 7.136488] [<ffffffff821b4d20>] ? rest_init+0x90/0x90
> [ 7.137207] Object at ffff880000134140, in cache kmalloc-32
> [ 7.137952] Object allocated with size 1 bytes.
> [ 7.138572] Allocation:
> [ 7.138909] PID = 1
> [ 7.139216] [<ffffffff81032e55>] save_stack_trace+0x25/0x40
> [ 7.139993] [<ffffffff811ead36>] save_stack+0x46/0xd0
> [ 7.140714] [<ffffffff811eb4a9>] kasan_kmalloc+0xd9/0x100
> [ 7.141479] [<ffffffff811e92a6>] __kmalloc+0xe6/0x1d0
> [ 7.142201] [<ffffffff81d44a9c>]
> thermal_zone_device_register+0x3ac/0x10a0
> [ 7.143162] [<ffffffff81ca1179>]
> __power_supply_register+0x5c9/0x700
> [ 7.144076] [<ffffffff81ca185e>] power_supply_register+0xe/0x10
> [ 7.144913] [<ffffffff83269716>] test_power_init+0x35/0xeb
> [ 7.145698] [<ffffffff832222cd>] do_one_initcall+0xef/0x1a1
> [ 7.146487] [<ffffffff83222516>] kernel_init_freeable+0x197/0x228
> [ 7.147359] [<ffffffff821b4d2e>] kernel_init+0xe/0x110
> [ 7.148105] [<ffffffff821c629f>] ret_from_fork+0x1f/0x40
> [ 7.148860] Memory state around the buggy address:
> [ 7.149548] ffff880000134000: 00 fc fc fc fc fc fc fc 00 03 fc fc
> fc fc fc fc
> [ 7.150578] ffff880000134080: 06 fc fc fc fc fc fc fc 03 fc fc fc
> fc fc fc fc
>
>
> FYI, raw QEMU command line is:
>
> qemu-system-x86_64 -enable-kvm -cpu Haswell,+smep,+smap -kernel
> /pkg/linux/x86_64-randconfig-s1-06151451/gcc-
> 6/24bc2fa031f094c05c017a862732924cb46ad2c1/vmlinuz-4.7.0-rc3-00014-
> g24bc2fa0 -append 'root=/dev/ram0 user=lkp job=/lkp/scheduled/vm-lkp-
> wsx03-quantal-x86_64-8/bisect_boot-1-quantal-core-x86_64.cgz-x86_64-
> randconfig-s1-06151451-24bc2fa031f094c05c017a862732924cb46ad2c1-
> 20160615-110339-ip9qk6-0.yaml~ ARCH=x86_64 kconfig=x86_64-randconfig-
> s1-06151451 branch=linux-devel/devel-spot-201606151338
> commit=24bc2fa031f094c05c017a862732924cb46ad2c1
> BOOT_IMAGE=/pkg/linux/x86_64-randconfig-s1-06151451/gcc-
> 6/24bc2fa031f094c05c017a862732924cb46ad2c1/vmlinuz-4.7.0-rc3-00014-
> g24bc2fa0 max_uptime=600 RESULT_ROOT=/result/boot/1/vm-lkp-wsx03-
> quantal-x86_64/quantal-core-x86_64.cgz/x86_64-randconfig-s1-
> 06151451/gcc-6/24bc2fa031f094c05c017a862732924cb46ad2c1/0
> LKP_SERVER=inn earlyprintk=ttyS0,115200 systemd.log_level=err debug
> apic=debug sysrq_always_enabled rcupdate.rcu_cpu_stall_timeout=100
> panic=-1 softlockup_panic=1 nmi_watchdog=panic oops=panic
> load_ramdisk=2 prompt_ramdisk=0 console=ttyS0,115200 console=tty0
> vga=normal rw ip=::::vm-lkp-wsx03-quantal-x86_64-8::dhcp
> drbd.minor_count=8' -initrd /fs/sdc1/initrd-vm-lkp-wsx03-quantal-
> x86_64-8 -m 360 -smp 2 -device e1000,netdev=net0 -netdev user,id=net0
> -boot order=nc -no-reboot -watchdog i6300esb -rtc base=localtime
> -pidfile /dev/shm/kboot/pid-vm-lkp-wsx03-quantal-x86_64-8 -serial
> file:/dev/shm/kboot/serial-vm-lkp-wsx03-quantal-x86_64-8 -daemonize
> -display none -monitor null
>
>
>
>
>
> Thanks,
> Xiaolong
Powered by blists - more mailing lists