| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181221193403.ch7p7b3lueqqizck@inn2.lkp.intel.com>
Date: Sat, 22 Dec 2018 03:34:04 +0800
From: kernel test robot <lkp@...el.com>
To: Joerg Roedel <jroedel@...e.de>
Cc: LKML <linux-kernel@...r.kernel.org>,
Stephen Rothwell <sfr@...b.auug.org.au>, lkp@...org
Subject: [iommu/of] 641fb0efbf: BUG:KASAN:null-ptr-deref_in_i
FYI, we noticed the following commit (built with gcc-7):
commit: 641fb0efbff063ed57f108c2eb4a4d26dbd5badd ("iommu/of: Don't call iommu_ops->add_device directly")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 768M
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+----------------------------------------------------+------------+------------+
| | cc5aed44a3 | 641fb0efbf |
+----------------------------------------------------+------------+------------+
| boot_successes | 42 | 0 |
| boot_failures | 3 | 25 |
| BUG:kernel_hang_in_boot-around-mounting-root_stage | 3 | |
| BUG:KASAN:null-ptr-deref_in_i | 0 | 25 |
| BUG:unable_to_handle_kernel | 0 | 25 |
| Oops:#[##] | 0 | 25 |
| RIP:iommu_probe_device | 0 | 25 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 25 |
+----------------------------------------------------+------------+------------+
[ 23.649624] BUG: KASAN: null-ptr-deref in iommu_probe_device+0x5b/0x70
[ 23.650408] Read of size 8 at addr 0000000000000058 by task swapper/1
[ 23.651175]
[ 23.651380] CPU: 0 PID: 1 Comm: swapper Not tainted 4.20.0-rc1-00031-g641fb0e #2
[ 23.652267] Call Trace:
[ 23.652588] kasan_report+0x200/0x350
[ 23.653055] iommu_probe_device+0x5b/0x70
[ 23.653564] of_iommu_configure+0x1f0/0x290
[ 23.654097] ? of_get_dma_window+0x3e0/0x3e0
[ 23.654636] ? of_get_next_parent+0x51/0x70
[ 23.655158] ? lock_downgrade+0x290/0x290
[ 23.655665] ? of_get_next_parent+0x22/0x70
[ 23.656191] ? do_raw_spin_unlock+0xda/0xf0
[ 23.656722] ? of_get_next_parent+0x5a/0x70
[ 23.657252] of_dma_configure+0x2fe/0x3b0
[ 23.657764] ? of_device_get_match_data+0x90/0x90
[ 23.658358] ? devres_remove+0x37/0x1b0
[ 23.658853] ? __kasan_slab_free+0x200/0x210
[ 23.659563] ? kfree+0x15a/0x1f0
[ 23.659980] ? __driver_attach+0x170/0x170
[ 23.660494] ? devres_free+0x3d/0x50
[ 23.660950] ? __platform_register_drivers+0x150/0x150
[ 23.661586] platform_dma_configure+0x3d/0xd0
[ 23.662138] really_probe+0x1a3/0x5d0
[ 23.662619] ? __driver_attach+0x170/0x170
[ 23.663141] driver_probe_device+0x10a/0x170
[ 23.663712] __device_attach_driver+0x139/0x170
[ 23.664276] bus_for_each_drv+0xda/0x160
[ 23.664811] ? bus_for_each_dev+0x170/0x170
[ 23.665360] ? do_raw_spin_unlock+0xda/0xf0
[ 23.665913] __device_attach+0x141/0x210
[ 23.666431] ? device_bind_driver+0x80/0x80
[ 23.666961] ? kobject_uevent_env+0x9a0/0x9c0
[ 23.667538] bus_probe_device+0x6b/0x140
[ 23.668058] device_add+0x809/0xbd0
[ 23.668531] ? _dev_warn+0x110/0x110
[ 23.669003] ? of_get_property+0x50/0x50
[ 23.669519] ? do_raw_spin_unlock+0xda/0xf0
[ 23.670083] of_platform_device_create_pdata+0xf0/0x120
[ 23.670770] of_platform_bus_create+0x287/0x370
[ 23.671375] ? lock_downgrade+0x290/0x290
[ 23.671880] ? of_platform_device_create_pdata+0x120/0x120
[ 23.672561] ? of_get_next_child+0x1b/0x50
[ 23.673088] ? do_raw_spin_unlock+0xda/0xf0
[ 23.673636] of_platform_populate+0x87/0xf0
[ 23.674171] ? of_find_node_opts_by_path+0x1c7/0x1e0
[ 23.674801] of_unittest+0x2294/0x3659
[ 23.675285] ? dt_alloc_memory+0x22/0x22
[ 23.675788] ? initcall_blacklisted+0x101/0x160
[ 23.676364] ? try_to_run_init_process+0x40/0x40
[ 23.676954] ? kobject_add+0x149/0x180
[ 23.678220] ? ibft_init+0x66d/0x66d
[ 23.678678] ? do_early_param+0xe1/0xe1
[ 23.679157] ? dt_alloc_memory+0x22/0x22
[ 23.679650] ? do_early_param+0xe1/0xe1
[ 23.680125] do_one_initcall+0xd2/0x200
[ 23.680618] ? initcall_blacklisted+0x160/0x160
[ 23.681174] ? kernel_init_freeable+0x12c/0x284
[ 23.681736] ? lock_downgrade+0x290/0x290
[ 23.682263] kernel_init_freeable+0x1ac/0x284
[ 23.682813] ? rest_init+0x140/0x140
[ 23.683287] kernel_init+0xf/0x160
[ 23.683725] ? _raw_spin_unlock_irq+0x1f/0x30
[ 23.684274] ? rest_init+0x140/0x140
[ 23.684737] ret_from_fork+0x35/0x40
[ 23.685200] ==================================================================
[ 23.686068] Disabling lock debugging due to kernel taint
[ 23.686757] BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
[ 23.687715] PGD 0 P4D 0
[ 23.688042] Oops: 0000 [#1] KASAN
[ 23.688472] CPU: 0 PID: 1 Comm: swapper Tainted: G B 4.20.0-rc1-00031-g641fb0e #2
[ 23.689508] RIP: 0010:iommu_probe_device+0x5b/0x70
[ 23.690092] Code: 8b ad 90 00 00 00 e8 b4 f4 8a ff 48 83 bb 20 04 00 00 00 74 07 e8 25 67 7a ff 0f 0b e8 1e 67 7a ff 48 8d 7d 58 e8 95 f4 8a ff <48> 8b 45 58 48 89 df 5b 5d e9 37 5c a4 00 0f 1f 80 00 00 00 00 55
[ 23.692301] RSP: 0018:ffff88000006f5d0 EFLAGS: 00010296
[ 23.692926] RAX: ffff880000060000 RBX: ffff8800164d4410 RCX: ffffffffb90fdaaa
[ 23.693774] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffbaefa140
[ 23.694633] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 23.695511] R10: 0000000000000001 R11: 6775626564206b63 R12: 0000000000000000
[ 23.696372] R13: 0000000000000001 R14: ffffffffbb0b8180 R15: ffff88002e345ef8
[ 23.697245] FS: 0000000000000000(0000) GS:ffffffffbae48000(0000) knlGS:0000000000000000
[ 23.698231] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 23.698902] CR2: 0000000000000058 CR3: 0000000023022000 CR4: 00000000000406b0
[ 23.699764] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 23.700592] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 23.701429] Call Trace:
[ 23.701747] of_iommu_configure+0x1f0/0x290
[ 23.702265] ? of_get_dma_window+0x3e0/0x3e0
[ 23.702787] ? of_get_next_parent+0x51/0x70
[ 23.703288] ? lock_downgrade+0x290/0x290
[ 23.703791] ? of_get_next_parent+0x22/0x70
[ 23.704298] ? do_raw_spin_unlock+0xda/0xf0
[ 23.704809] ? of_get_next_parent+0x5a/0x70
[ 23.705322] of_dma_configure+0x2fe/0x3b0
[ 23.705813] ? of_device_get_match_data+0x90/0x90
[ 23.706384] ? devres_remove+0x37/0x1b0
[ 23.706852] ? __kasan_slab_free+0x200/0x210
[ 23.707399] ? kfree+0x15a/0x1f0
[ 23.707799] ? __driver_attach+0x170/0x170
[ 23.708305] ? devres_free+0x3d/0x50
[ 23.708743] ? __platform_register_drivers+0x150/0x150
[ 23.709368] platform_dma_configure+0x3d/0xd0
[ 23.709913] really_probe+0x1a3/0x5d0
[ 23.710380] ? __driver_attach+0x170/0x170
[ 23.710891] driver_probe_device+0x10a/0x170
[ 23.711425] __device_attach_driver+0x139/0x170
[ 23.711989] bus_for_each_drv+0xda/0x160
[ 23.712487] ? bus_for_each_dev+0x170/0x170
[ 23.713014] ? do_raw_spin_unlock+0xda/0xf0
[ 23.713542] __device_attach+0x141/0x210
[ 23.714037] ? device_bind_driver+0x80/0x80
[ 23.714570] ? kobject_uevent_env+0x9a0/0x9c0
[ 23.715121] bus_probe_device+0x6b/0x140
[ 23.715622] device_add+0x809/0xbd0
[ 23.716062] ? _dev_warn+0x110/0x110
[ 23.716525] ? of_get_property+0x50/0x50
[ 23.717021] ? do_raw_spin_unlock+0xda/0xf0
[ 23.717549] of_platform_device_create_pdata+0xf0/0x120
[ 23.718190] of_platform_bus_create+0x287/0x370
[ 23.718765] ? lock_downgrade+0x290/0x290
[ 23.719261] ? of_platform_device_create_pdata+0x120/0x120
[ 23.719940] ? of_get_next_child+0x1b/0x50
[ 23.720474] ? do_raw_spin_unlock+0xda/0xf0
[ 23.720988] of_platform_populate+0x87/0xf0
[ 23.721505] ? of_find_node_opts_by_path+0x1c7/0x1e0
[ 23.722106] of_unittest+0x2294/0x3659
[ 23.722572] ? dt_alloc_memory+0x22/0x22
[ 23.723069] ? initcall_blacklisted+0x101/0x160
[ 23.723623] ? try_to_run_init_process+0x40/0x40
[ 23.724195] ? kobject_add+0x149/0x180
[ 23.724664] ? ibft_init+0x66d/0x66d
[ 23.725103] ? do_early_param+0xe1/0xe1
[ 23.725580] ? dt_alloc_memory+0x22/0x22
[ 23.726082] ? do_early_param+0xe1/0xe1
[ 23.726550] do_one_initcall+0xd2/0x200
[ 23.727007] ? initcall_blacklisted+0x160/0x160
[ 23.727557] ? kernel_init_freeable+0x12c/0x284
[ 23.728099] ? lock_downgrade+0x290/0x290
[ 23.728595] kernel_init_freeable+0x1ac/0x284
[ 23.729122] ? rest_init+0x140/0x140
[ 23.729572] kernel_init+0xf/0x160
[ 23.729999] ? _raw_spin_unlock_irq+0x1f/0x30
[ 23.730550] ? rest_init+0x140/0x140
[ 23.731003] ret_from_fork+0x35/0x40
[ 23.731457] Modules linked in:
[ 23.731844] CR2: 0000000000000058
[ 23.732260] ---[ end trace fd2f5c8ecc7d9e2a ]---
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
lkp
View attachment "config-4.20.0-rc1-00031-g641fb0e" of type "text/plain" (121853 bytes)
View attachment "job-script" of type "text/plain" (4285 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (11980 bytes)
Powered by blists - more mailing lists