lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 18 Feb 2020 09:06:15 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Ville Syrjälä <ville.syrjala@...ux.intel.com>
Cc:     0day robot <lkp@...el.com>,
        Thomas Zimmermann <tzimmermann@...e.de>,
        Daniel Vetter <daniel@...ll.ch>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org
Subject: [drm] 06bc852c76: BUG:KASAN:null-ptr-deref_in_d

FYI, we noticed the following commit (built with gcc-7):

commit: 06bc852c76c970a2fb43e1d39dd21d33fb722ca1 ("drm: Include the encoder itself in possible_clones")
https://github.com/0day-ci/linux/commits/Ville-Syrjala/drm-Try-to-fix-encoder-possible_clones-crtc/20200214-063509

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+-------------------------------------------------------------------------------+------------+------------+
|                                                                               | 16668f8cd3 | 06bc852c76 |
+-------------------------------------------------------------------------------+------------+------------+
| boot_successes                                                                | 0          | 0          |
| boot_failures                                                                 | 12         | 12         |
| WARNING:suspicious_RCU_usage                                                  | 12         | 12         |
| drivers/char/ipmi/ipmi_msghandler.c:#RCU-list_traversed_in_non-reader_section | 12         | 12         |
| security/device_cgroup.c:#RCU-list_traversed_in_non-reader_section            | 12         |            |
| BUG:KASAN:null-ptr-deref_in_d                                                 | 0          | 12         |
| BUG:kernel_NULL_pointer_dereference,address                                   | 0          | 12         |
| Oops:#[##]                                                                    | 0          | 12         |
| RIP:drm_mode_config_validate                                                  | 0          | 12         |
| Kernel_panic-not_syncing:Fatal_exception                                      | 0          | 12         |
+-------------------------------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>


[   37.410835] WARNING: suspicious RCU usage
[   37.411235] 5.6.0-rc1-00653-g06bc852c76c97 #1 Not tainted
[   37.411761] -----------------------------
[   37.412163] drivers/char/ipmi/ipmi_msghandler.c:744 RCU-list traversed in non-reader section!!
[   37.413175] 
[   37.413175] other info that might help us debug this:
[   37.413175] 
[   37.413945] 
[   37.413945] rcu_scheduler_active = 2, debug_locks = 1
[   37.414675] 2 locks held by swapper/1:
[   37.415053]  #0: ffffffff83229708 (smi_watchers_mutex){+.+.}, at: ipmi_smi_watcher_register+0x50/0x230
[   37.415981]  #1: ffffffff855ff9c0 (&ipmi_interfaces_srcu){....}, at: ipmi_smi_watcher_register+0x3d/0x230
[   37.416926] 
[   37.416926] stack backtrace:
[   37.417360] CPU: 0 PID: 1 Comm: swapper Not tainted 5.6.0-rc1-00653-g06bc852c76c97 #1
[   37.418115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   37.418965] Call Trace:
[   37.419238]  ipmi_smi_watcher_register+0x21c/0x230
[   37.419719]  ? rdinit_setup+0x4a/0x4a
[   37.420092]  ? ipmi_init_msghandler_mod+0x53/0x53
[   37.420559]  init_ipmi_devintf+0xe3/0x128
[   37.420980]  do_one_initcall+0xb8/0x370
[   37.421372]  ? boot_config_checksum+0x60/0x60
[   37.421810]  ? rcu_tasks_kthread+0x790/0x790
[   37.422240]  ? __kasan_kmalloc+0x9f/0xd0
[   37.422771]  ? kasan_unpoison_shadow+0x30/0x40
[   37.423217]  ? debug_lockdep_rcu_enabled+0x15/0x30
[   37.423748]  ? rdinit_setup+0x4a/0x4a
[   37.424117]  kernel_init_freeable+0x231/0x2a1
[   37.424552]  ? rest_init+0x170/0x170
[   37.424929]  kernel_init+0xf/0x180
[   37.425274]  ? _raw_spin_unlock_irq+0x1f/0x30
[   37.425708]  ? rest_init+0x170/0x170
[   37.426069]  ret_from_fork+0x24/0x30
[   37.427867] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[   37.428685] ACPI: Power Button [PWRF]
[   37.429529] Warning: Processor Platform Limit event detected, but not handled.
[   37.430244] Consider compiling CPUfreq support into your kernel.
[   37.540867] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[   37.543586] 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[   37.545369] 00:06: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[   37.551400] ==================================================================
[   37.552160] BUG: KASAN: null-ptr-deref in drm_mode_config_validate+0x3f/0x90
[   37.552847] Read of size 4 at addr 0000000000000044 by task swapper/1
[   37.553469] 
[   37.553635] CPU: 0 PID: 1 Comm: swapper Not tainted 5.6.0-rc1-00653-g06bc852c76c97 #1
[   37.554356] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   37.554356] Call Trace:
[   37.554356]  ? drm_mode_config_validate+0x3f/0x90
[   37.554356]  __kasan_report+0x17a/0x19d
[   37.554356]  ? drm_mode_config_validate+0x3f/0x90
[   37.554356]  kasan_report+0xe/0x20
[   37.554356]  drm_mode_config_validate+0x3f/0x90
[   37.554356]  drm_dev_register+0x1e8/0x370
[   37.554356]  ? rdinit_setup+0x4a/0x4a
[   37.554356]  vgem_init+0x197/0x211
[   37.554356]  ? drm_core_init+0xd8/0xd8
[   37.554356]  ? drm_core_init+0xd8/0xd8
[   37.554356]  do_one_initcall+0xb8/0x370
[   37.554356]  ? boot_config_checksum+0x60/0x60
[   37.554356]  ? rcu_tasks_kthread+0x790/0x790
[   37.554356]  ? __kasan_kmalloc+0x9f/0xd0
[   37.554356]  ? kasan_unpoison_shadow+0x30/0x40
[   37.554356]  ? debug_lockdep_rcu_enabled+0x15/0x30
[   37.554356]  ? rdinit_setup+0x4a/0x4a
[   37.554356]  kernel_init_freeable+0x231/0x2a1
[   37.554356]  ? rest_init+0x170/0x170
[   37.554356]  kernel_init+0xf/0x180
[   37.554356]  ? _raw_spin_unlock_irq+0x1f/0x30
[   37.554356]  ? rest_init+0x170/0x170
[   37.554356]  ret_from_fork+0x24/0x30
[   37.554356] ==================================================================
[   37.554356] Disabling lock debugging due to kernel taint
[   37.566098] BUG: kernel NULL pointer dereference, address: 0000000000000044
[   37.566768] #PF: supervisor read access in kernel mode
[   37.567262] #PF: error_code(0x0000) - not-present page
[   37.567759] PGD 0 P4D 0 
[   37.568019] Oops: 0000 [#1] KASAN PTI
[   37.568378] CPU: 0 PID: 1 Comm: swapper Tainted: G    B             5.6.0-rc1-00653-g06bc852c76c97 #1
[   37.569253] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   37.570027] RIP: 0010:drm_mode_config_validate+0x3f/0x90
[   37.570027] Code: ef e8 95 b7 ae ff 48 8b 83 98 08 00 00 48 39 c5 74 53 48 8d 58 f8 41 bc 01 00 00 00 e8 5a 7a 94 ff 48 8d 7b 4c e8 51 b6 ae ff <8b> 43 4c 85 c0 75 19 e8 45 7a 94 ff 48 8d 7b 44 e8 3c b6 ae ff 8b
[   37.570027] RSP: 0000:ffff8881f6527d18 EFLAGS: 00010282
[   37.570027] RAX: ffff8881f651d300 RBX: fffffffffffffff8 RCX: ffffffff811ae061
[   37.570027] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffffffff83554034
[   37.570027] RBP: ffff8881960ee898 R08: 0000000000000000 R09: 0000000000000000
[   37.570027] R10: 0000000000000001 R11: fffffbfff07629f8 R12: 0000000000000001
[   37.570027] R13: ffff8881960ee020 R14: 0000000000000000 R15: ffffffff839c9796
[   37.570027] FS:  0000000000000000(0000) GS:ffffffff82e99000(0000) knlGS:0000000000000000
[   37.570027] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   37.570027] CR2: 0000000000000044 CR3: 0000000002e36000 CR4: 00000000000406f0
[   37.570027] Call Trace:
[   37.570027]  drm_dev_register+0x1e8/0x370
[   37.570027]  ? rdinit_setup+0x4a/0x4a
[   37.570027]  vgem_init+0x197/0x211
[   37.570027]  ? drm_core_init+0xd8/0xd8
[   37.570027]  ? drm_core_init+0xd8/0xd8
[   37.570027]  do_one_initcall+0xb8/0x370
[   37.570027]  ? boot_config_checksum+0x60/0x60
[   37.570027]  ? rcu_tasks_kthread+0x790/0x790
[   37.570027]  ? __kasan_kmalloc+0x9f/0xd0
[   37.570027]  ? kasan_unpoison_shadow+0x30/0x40
[   37.570027]  ? debug_lockdep_rcu_enabled+0x15/0x30
[   37.570027]  ? rdinit_setup+0x4a/0x4a
[   37.570027]  kernel_init_freeable+0x231/0x2a1
[   37.570027]  ? rest_init+0x170/0x170
[   37.570027]  kernel_init+0xf/0x180
[   37.570027]  ? _raw_spin_unlock_irq+0x1f/0x30
[   37.570027]  ? rest_init+0x170/0x170
[   37.570027]  ret_from_fork+0x24/0x30
[   37.570027] Modules linked in:
[   37.570027] CR2: 0000000000000044
[   37.570027] ---[ end trace b9a1914b014b1891 ]---


To reproduce:

        # build kernel
	cd linux
	cp config-5.6.0-rc1-00653-g06bc852c76c97 .config
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Rong Chen


View attachment "config-5.6.0-rc1-00653-g06bc852c76c97" of type "text/plain" (131422 bytes)

View attachment "job-script" of type "text/plain" (4869 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (9344 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ