lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Sun, 30 Aug 2020 10:28:42 +0800
From:   kernel test robot <lkp@...el.com>
To:     Thomas Pedersen <thomas@...pt-ip.com>
Cc:     Johannes Berg <johannes@...solutions.net>,
        linux-wireless <linux-wireless@...r.kernel.org>,
        Thomas Pedersen <thomas@...pt-ip.com>,
        0day robot <lkp@...el.com>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org
Subject: [mac80211_hwsim] dc5ef7078b:
 BUG:KASAN:stack-out-of-bounds_in__freq_reg_info

Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: dc5ef7078b77772b5e2ff5a57cd87144c4c9a583 ("mac80211_hwsim: indicate support for S1G")
url: https://github.com/0day-ci/linux/commits/Thomas-Pedersen/add-initial-S1G-support/20200828-063630


in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+-------------------------------------------------+------------+------------+
|                                                 | d86026ca9a | dc5ef7078b |
+-------------------------------------------------+------------+------------+
| boot_successes                                  | 8          | 0          |
| boot_failures                                   | 0          | 8          |
| BUG:KASAN:stack-out-of-bounds_in__freq_reg_info | 0          | 8          |
+-------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <lkp@...el.com>


[   16.018498] BUG: KASAN: stack-out-of-bounds in __freq_reg_info+0x14b/0x170
[   16.019402] Read of size 4 at addr ffffc9000001f8e4 by task swapper/0/1
[   16.020281] 
[   16.020387] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.9.0-rc2-next-20200827-00021-gdc5ef7078b7777 #1
[   16.020387] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   16.020387] Call Trace:
[   16.020387]  dump_stack+0xbf/0x110
[   16.020387]  print_address_description.cold+0x5/0x4b3
[   16.020387]  ? log_store.cold+0x11/0x11
[   16.020387]  ? trace_hardirqs_off+0x29/0x110
[   16.020387]  ? _raw_spin_lock_irqsave+0x8c/0xd0
[   16.020387]  ? _raw_read_lock_irq+0x50/0x50
[   16.020387]  ? trace_hardirqs_on+0x2e/0x120
[   16.020387]  ? __freq_reg_info+0x14b/0x170
[   16.020387]  kasan_report.cold+0x1f/0x38
[   16.020387]  ? __freq_reg_info+0x14b/0x170
[   16.020387]  __freq_reg_info+0x14b/0x170
[   16.020387]  ? freq_reg_info_regd+0x110/0x110
[   16.020387]  ? mutex_is_locked+0x1b/0x30
[   16.020387]  wiphy_update_regulatory+0x338/0x6b0
[   16.020387]  wiphy_regulatory_register+0x3b/0xa0
[   16.020387]  wiphy_register+0xcf3/0x1020
[   16.020387]  ? wiphy_unregister+0x570/0x570
[   16.020387]  ? register_netdev+0x40/0x40
[   16.020387]  ? minstrel_ht_alloc+0x1a7/0x230
[   16.020387]  ieee80211_register_hw+0xf05/0x1460
[   16.020387]  ? ieee80211_ifa6_changed+0x230/0x230
[   16.020387]  ? memset+0x20/0x40
[   16.020387]  ? __hrtimer_init+0xbb/0xf0
[   16.020387]  mac80211_hwsim_new_radio+0xd89/0x1830
[   16.020387]  ? hwsim_virtio_rx_work+0x1f0/0x1f0
[   16.020387]  init_mac80211_hwsim+0x315/0x42c
[   16.020387]  ? printk+0x96/0xb2
[   16.020387]  ? rndis_wlan_driver_init+0x1a/0x1a
[   16.020387]  do_one_initcall+0x75/0x294
[   16.020387]  ? perf_trace_initcall_level+0x1f0/0x1f0
[   16.020387]  ? parameqn+0x80/0x90
[   16.020387]  ? kasan_unpoison_shadow+0x33/0x40
[   16.020387]  kernel_init_freeable+0x2b8/0x313
[   16.020387]  ? rest_init+0xd6/0xd6
[   16.020387]  kernel_init+0xd/0x11a
[   16.020387]  ret_from_fork+0x22/0x30
[   16.020387] 
[   16.020387] addr ffffc9000001f8e4 is located in stack of task swapper/0/1 at offset 28 in frame:
[   16.020387]  __freq_reg_info+0x0/0x170
[   16.020387] 
[   16.020387] this frame has 1 object:
[   16.020387]  [32, 64) 'bws'
[   16.020387] 
[   16.020387] Memory state around the buggy address:
[   16.020387]  ffffc9000001f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   16.020387]  ffffc9000001f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   16.020387] >ffffc9000001f880: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00
[   16.020387]                                                        ^
[   16.020387]  ffffc9000001f900: 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
[   16.020387]  ffffc9000001f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   16.020387] ==================================================================
[   16.020387] Disabling lock debugging due to kernel taint
[   16.065939] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[   16.073468] usbcore: registered new interface driver catc
[   16.074373] usbcore: registered new interface driver kaweth
[   16.075147] pegasus: v0.9.3 (2013/04/25), Pegasus/Pegasus II USB Ethernet driver
[   16.076356] usbcore: registered new interface driver pegasus
[   16.077286] usbcore: registered new interface driver rtl8150
[   16.078066] hso: drivers/net/usb/hso.c: Option Wireless
[   16.079118] usbcore: registered new interface driver hso
[   16.080014] usbcore: registered new interface driver lan78xx
[   16.080941] usbcore: registered new interface driver cdc_ether
[   16.081861] usbcore: registered new interface driver cdc_eem
[   16.082776] usbcore: registered new interface driver dm9601
[   16.083759] usbcore: registered new interface driver CoreChips
[   16.084773] usbcore: registered new interface driver smsc95xx
[   16.085703] usbcore: registered new interface driver gl620a
[   16.086632] usbcore: registered new interface driver net1080
[   16.087543] usbcore: registered new interface driver rndis_host
[   16.088503] usbcore: registered new interface driver cdc_subset
[   16.089446] usbcore: registered new interface driver kalmia
[   16.090365] usbcore: registered new interface driver ipheth
[   16.091315] usbcore: registered new interface driver sierra_net
[   16.092269] usbcore: registered new interface driver cx82310_eth
[   16.093306] usbcore: registered new interface driver cdc_ncm
[   16.094224] usbcore: registered new interface driver huawei_cdc_ncm
[   16.095202] usbcore: registered new interface driver lg-vl600
[   16.096151] usbcore: registered new interface driver qmi_wwan
[   16.097078] usbcore: registered new interface driver cdc_mbim
[   16.100599] usbcore: registered new interface driver ch9200
[   16.102062] parport0: cannot grant exclusive access for device ks0108
[   16.102925] ks0108: ERROR: parport didn't register new device
[   16.247986] panel: panel driver registered on parport0 (io=0x378).
[   16.252248] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[   16.253129] ehci-pci: EHCI PCI platform driver
[   16.253917] ehci-platform: EHCI generic platform driver
[   16.254894] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[   16.255875] ohci-pci: OHCI PCI platform driver
[   16.256689] ohci-platform: OHCI generic platform driver
[   16.257770] driver u132_hcd
[   16.258888] fotg210_hcd: FOTG210 Host Controller (EHCI) Driver
[   16.259689] Warning! fotg210_hcd should always be loaded before uhci_hcd and ohci_hcd, not after
[   16.261402] usbcore: registered new interface driver cdc_acm
[   16.262181] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[   16.263434] usbcore: registered new interface driver cdc_wdm


To reproduce:

        # build kernel
	cd linux
	cp config-5.9.0-rc2-next-20200827-00021-gdc5ef7078b7777 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
lkp


View attachment "config-5.9.0-rc2-next-20200827-00021-gdc5ef7078b7777" of type "text/plain" (159627 bytes)

View attachment "job-script" of type "text/plain" (4810 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (18316 bytes)

Powered by blists - more mailing lists