lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20181221193403.5fml7owgvffhvvu2@inn2.lkp.intel.com>
Date:   Sat, 22 Dec 2018 03:34:03 +0800
From:   kernel test robot <lkp@...el.com>
To:     Joerg Roedel <jroedel@...e.de>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Stephen Rothwell <sfr@...b.auug.org.au>, lkp@...org
Subject: [iommu/of]  641fb0efbf: BUG:KASAN:null-ptr-deref_in_i


FYI, we noticed the following commit (built with gcc-7):

commit: 641fb0efbff063ed57f108c2eb4a4d26dbd5badd ("iommu/of: Don't call iommu_ops->add_device directly")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

in testcase: trinity
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 768M

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+----------------------------------------------------+------------+------------+
|                                                    | cc5aed44a3 | 641fb0efbf |
+----------------------------------------------------+------------+------------+
| boot_successes                                     | 42         | 0          |
| boot_failures                                      | 3          | 25         |
| BUG:kernel_hang_in_boot-around-mounting-root_stage | 3          |            |
| BUG:KASAN:null-ptr-deref_in_i                      | 0          | 25         |
| BUG:unable_to_handle_kernel                        | 0          | 25         |
| Oops:#[##]                                         | 0          | 25         |
| RIP:iommu_probe_device                             | 0          | 25         |
| Kernel_panic-not_syncing:Fatal_exception           | 0          | 25         |
+----------------------------------------------------+------------+------------+



[   23.649624] BUG: KASAN: null-ptr-deref in iommu_probe_device+0x5b/0x70
[   23.650408] Read of size 8 at addr 0000000000000058 by task swapper/1
[   23.651175] 
[   23.651380] CPU: 0 PID: 1 Comm: swapper Not tainted 4.20.0-rc1-00031-g641fb0e #2
[   23.652267] Call Trace:
[   23.652588]  kasan_report+0x200/0x350
[   23.653055]  iommu_probe_device+0x5b/0x70
[   23.653564]  of_iommu_configure+0x1f0/0x290
[   23.654097]  ? of_get_dma_window+0x3e0/0x3e0
[   23.654636]  ? of_get_next_parent+0x51/0x70
[   23.655158]  ? lock_downgrade+0x290/0x290
[   23.655665]  ? of_get_next_parent+0x22/0x70
[   23.656191]  ? do_raw_spin_unlock+0xda/0xf0
[   23.656722]  ? of_get_next_parent+0x5a/0x70
[   23.657252]  of_dma_configure+0x2fe/0x3b0
[   23.657764]  ? of_device_get_match_data+0x90/0x90
[   23.658358]  ? devres_remove+0x37/0x1b0
[   23.658853]  ? __kasan_slab_free+0x200/0x210
[   23.659563]  ? kfree+0x15a/0x1f0
[   23.659980]  ? __driver_attach+0x170/0x170
[   23.660494]  ? devres_free+0x3d/0x50
[   23.660950]  ? __platform_register_drivers+0x150/0x150
[   23.661586]  platform_dma_configure+0x3d/0xd0
[   23.662138]  really_probe+0x1a3/0x5d0
[   23.662619]  ? __driver_attach+0x170/0x170
[   23.663141]  driver_probe_device+0x10a/0x170
[   23.663712]  __device_attach_driver+0x139/0x170
[   23.664276]  bus_for_each_drv+0xda/0x160
[   23.664811]  ? bus_for_each_dev+0x170/0x170
[   23.665360]  ? do_raw_spin_unlock+0xda/0xf0
[   23.665913]  __device_attach+0x141/0x210
[   23.666431]  ? device_bind_driver+0x80/0x80
[   23.666961]  ? kobject_uevent_env+0x9a0/0x9c0
[   23.667538]  bus_probe_device+0x6b/0x140
[   23.668058]  device_add+0x809/0xbd0
[   23.668531]  ? _dev_warn+0x110/0x110
[   23.669003]  ? of_get_property+0x50/0x50
[   23.669519]  ? do_raw_spin_unlock+0xda/0xf0
[   23.670083]  of_platform_device_create_pdata+0xf0/0x120
[   23.670770]  of_platform_bus_create+0x287/0x370
[   23.671375]  ? lock_downgrade+0x290/0x290
[   23.671880]  ? of_platform_device_create_pdata+0x120/0x120
[   23.672561]  ? of_get_next_child+0x1b/0x50
[   23.673088]  ? do_raw_spin_unlock+0xda/0xf0
[   23.673636]  of_platform_populate+0x87/0xf0
[   23.674171]  ? of_find_node_opts_by_path+0x1c7/0x1e0
[   23.674801]  of_unittest+0x2294/0x3659
[   23.675285]  ? dt_alloc_memory+0x22/0x22
[   23.675788]  ? initcall_blacklisted+0x101/0x160
[   23.676364]  ? try_to_run_init_process+0x40/0x40
[   23.676954]  ? kobject_add+0x149/0x180
[   23.678220]  ? ibft_init+0x66d/0x66d
[   23.678678]  ? do_early_param+0xe1/0xe1
[   23.679157]  ? dt_alloc_memory+0x22/0x22
[   23.679650]  ? do_early_param+0xe1/0xe1
[   23.680125]  do_one_initcall+0xd2/0x200
[   23.680618]  ? initcall_blacklisted+0x160/0x160
[   23.681174]  ? kernel_init_freeable+0x12c/0x284
[   23.681736]  ? lock_downgrade+0x290/0x290
[   23.682263]  kernel_init_freeable+0x1ac/0x284
[   23.682813]  ? rest_init+0x140/0x140
[   23.683287]  kernel_init+0xf/0x160
[   23.683725]  ? _raw_spin_unlock_irq+0x1f/0x30
[   23.684274]  ? rest_init+0x140/0x140
[   23.684737]  ret_from_fork+0x35/0x40
[   23.685200] ==================================================================
[   23.686068] Disabling lock debugging due to kernel taint
[   23.686757] BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
[   23.687715] PGD 0 P4D 0 
[   23.688042] Oops: 0000 [#1] KASAN
[   23.688472] CPU: 0 PID: 1 Comm: swapper Tainted: G    B             4.20.0-rc1-00031-g641fb0e #2
[   23.689508] RIP: 0010:iommu_probe_device+0x5b/0x70
[   23.690092] Code: 8b ad 90 00 00 00 e8 b4 f4 8a ff 48 83 bb 20 04 00 00 00 74 07 e8 25 67 7a ff 0f 0b e8 1e 67 7a ff 48 8d 7d 58 e8 95 f4 8a ff <48> 8b 45 58 48 89 df 5b 5d e9 37 5c a4 00 0f 1f 80 00 00 00 00 55
[   23.692301] RSP: 0018:ffff88000006f5d0 EFLAGS: 00010296
[   23.692926] RAX: ffff880000060000 RBX: ffff8800164d4410 RCX: ffffffffb90fdaaa
[   23.693774] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffbaefa140
[   23.694633] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   23.695511] R10: 0000000000000001 R11: 6775626564206b63 R12: 0000000000000000
[   23.696372] R13: 0000000000000001 R14: ffffffffbb0b8180 R15: ffff88002e345ef8
[   23.697245] FS:  0000000000000000(0000) GS:ffffffffbae48000(0000) knlGS:0000000000000000
[   23.698231] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   23.698902] CR2: 0000000000000058 CR3: 0000000023022000 CR4: 00000000000406b0
[   23.699764] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   23.700592] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   23.701429] Call Trace:
[   23.701747]  of_iommu_configure+0x1f0/0x290
[   23.702265]  ? of_get_dma_window+0x3e0/0x3e0
[   23.702787]  ? of_get_next_parent+0x51/0x70
[   23.703288]  ? lock_downgrade+0x290/0x290
[   23.703791]  ? of_get_next_parent+0x22/0x70
[   23.704298]  ? do_raw_spin_unlock+0xda/0xf0
[   23.704809]  ? of_get_next_parent+0x5a/0x70
[   23.705322]  of_dma_configure+0x2fe/0x3b0
[   23.705813]  ? of_device_get_match_data+0x90/0x90
[   23.706384]  ? devres_remove+0x37/0x1b0
[   23.706852]  ? __kasan_slab_free+0x200/0x210
[   23.707399]  ? kfree+0x15a/0x1f0
[   23.707799]  ? __driver_attach+0x170/0x170
[   23.708305]  ? devres_free+0x3d/0x50
[   23.708743]  ? __platform_register_drivers+0x150/0x150
[   23.709368]  platform_dma_configure+0x3d/0xd0
[   23.709913]  really_probe+0x1a3/0x5d0
[   23.710380]  ? __driver_attach+0x170/0x170
[   23.710891]  driver_probe_device+0x10a/0x170
[   23.711425]  __device_attach_driver+0x139/0x170
[   23.711989]  bus_for_each_drv+0xda/0x160
[   23.712487]  ? bus_for_each_dev+0x170/0x170
[   23.713014]  ? do_raw_spin_unlock+0xda/0xf0
[   23.713542]  __device_attach+0x141/0x210
[   23.714037]  ? device_bind_driver+0x80/0x80
[   23.714570]  ? kobject_uevent_env+0x9a0/0x9c0
[   23.715121]  bus_probe_device+0x6b/0x140
[   23.715622]  device_add+0x809/0xbd0
[   23.716062]  ? _dev_warn+0x110/0x110
[   23.716525]  ? of_get_property+0x50/0x50
[   23.717021]  ? do_raw_spin_unlock+0xda/0xf0
[   23.717549]  of_platform_device_create_pdata+0xf0/0x120
[   23.718190]  of_platform_bus_create+0x287/0x370
[   23.718765]  ? lock_downgrade+0x290/0x290
[   23.719261]  ? of_platform_device_create_pdata+0x120/0x120
[   23.719940]  ? of_get_next_child+0x1b/0x50
[   23.720474]  ? do_raw_spin_unlock+0xda/0xf0
[   23.720988]  of_platform_populate+0x87/0xf0
[   23.721505]  ? of_find_node_opts_by_path+0x1c7/0x1e0
[   23.722106]  of_unittest+0x2294/0x3659
[   23.722572]  ? dt_alloc_memory+0x22/0x22
[   23.723069]  ? initcall_blacklisted+0x101/0x160
[   23.723623]  ? try_to_run_init_process+0x40/0x40
[   23.724195]  ? kobject_add+0x149/0x180
[   23.724664]  ? ibft_init+0x66d/0x66d
[   23.725103]  ? do_early_param+0xe1/0xe1
[   23.725580]  ? dt_alloc_memory+0x22/0x22
[   23.726082]  ? do_early_param+0xe1/0xe1
[   23.726550]  do_one_initcall+0xd2/0x200
[   23.727007]  ? initcall_blacklisted+0x160/0x160
[   23.727557]  ? kernel_init_freeable+0x12c/0x284
[   23.728099]  ? lock_downgrade+0x290/0x290
[   23.728595]  kernel_init_freeable+0x1ac/0x284
[   23.729122]  ? rest_init+0x140/0x140
[   23.729572]  kernel_init+0xf/0x160
[   23.729999]  ? _raw_spin_unlock_irq+0x1f/0x30
[   23.730550]  ? rest_init+0x140/0x140
[   23.731003]  ret_from_fork+0x35/0x40
[   23.731457] Modules linked in:
[   23.731844] CR2: 0000000000000058
[   23.732260] ---[ end trace fd2f5c8ecc7d9e2a ]---


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
lkp

View attachment "config-4.20.0-rc1-00031-g641fb0e" of type "text/plain" (121853 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (11980 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ