[<prev] [next>] [day] [month] [year] [list]
Message-ID: <271d8801-7428-2a9e-5e6f-1a7ad9a752dc@metux.net>
Date: Fri, 12 Feb 2021 16:22:49 +0100
From: "Enrico Weigelt, metux IT consult" <lkml@...ux.net>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"devicetree@...r.kernel.org" <devicetree@...r.kernel.org>
Subject: BUG: broken overlay causes very strange kernel crash
Hi folks,
while playing around with overlays, I've encountered a funny crash,
that even seems to affect the filesystem. No idea what really happens,
as oftree code detected the broken phandle.
What I did:
* i've written a driver that loads a builtin oftree overlay and tries
to apply it.
* as its running on x86 (acpi-based), I'm also creating a of_root node
and add some properties to it. (yes, calling of_node_init())
* using of_overlay_fdt_apply(), which seemed to work, but still trying
to find out how to make it add new top-level nodes ...
* if the call fails, the driver does nothing (except printing the err)
* when adding a fragment with target <0> the crash happens
The crash *much* later than loading the overlay, NULL pointer deref in
ext2_error(). Since I can't see any relation between oftree and ext2,
this smells that oftree code is overwriting some unrelated memory.
Maybe something's creating broken pointers and then writing there ?
Obviously my driver code shit, but those strange things happending
smells like some weird is going on deep inside the oftree code, that
maybe *could* provide an attack surface.
Does anyone have an idea what's going here ?
thx
--mtx
[ 0.629870] OF: overlay: find target, node: /fragment@0, phandle 0x0
not found
[ 0.631603] OF: overlay: init_overlay_changeset() failed, ret = -22
[ 0.633131] ofboard: ret=-22 ovcs_id=0
[ 0.634039] ofboard: dumping all nodes ...
[ 0.634932] ofboard: ==> of node:
[ 0.635579] ofboard: --> property: model
[ 0.636333] ofboard: --> property: compatible
[ 0.637202] ofboard: ret=-22 ovcs_id=0
[ 0.637919] ofboard: ofdrv done
[ 0.638529] IPI shorthand broadcast: enabled
[ 0.640553] VFS: Mounted root (ext2 filesystem) readonly on device 254:0.
[ 0.642639] Freeing unused kernel image (initmem) memory: 700K
[ 0.649080] Write protecting the kernel read-only data: 10240k
[ 0.651415] Freeing unused kernel image (text/rodata gap) memory: 2044K
[ 0.653478] Freeing unused kernel image (rodata/data gap) memory: 1124K
[ 0.655178] Run /sbin/init as init process
[ 0.665905] BUG: kernel NULL pointer dereference, address:
000000000000003a
[ 0.667634] #PF: supervisor write access in kernel mode
[ 0.668919] #PF: error_code(0x0002) - not-present page
[ 0.669011] PGD 0 P4D 0
[ 0.669011] Oops: 0002 [#1] PREEMPT SMP PTI
[ 0.669011] CPU: 0 PID: 25 Comm: rcS Not tainted
5.11.0-rc7-00105-g4fb1c4f664da-dirty #247
[ 0.669011] Hardware name: PC engines Standard PC (i440FX + PIIX,
1996)/APU3, BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 044
[ 0.669011] RIP: 0010:ext2_error+0x6d/0x90
[ 0.669011] Code: 30 31 c0 f6 47 50 01 0f 85 04 32 15 00 4d 8d bc 24
80 01 00 00 4c 89 ff e8 f0 a4 16 00 4c 89 ff 66 41 83 8c 24 9f
[ 0.669011] RSP: 0018:ffffc900000d7aa8 EFLAGS: 00010206
[ 0.669011] RAX: 0000000000000000 RBX: ffff888000256000 RCX:
0000000000000077
[ 0.669011] RDX: 0000000000000001 RSI: ffffffff81895e52 RDI:
ffff88800025e380
[ 0.669011] RBP: ffffc900000d7b38 R08: ffff88800048da78 R09:
ffff8880019f8ff4
[ 0.669011] R10: 0000000000000000 R11: ffffffff8f9a8d98 R12:
ffff88800025e200
[ 0.669011] R13: 0000000000000000 R14: ffffffff81895e52 R15:
ffff88800025e380
[ 0.669011] FS: 00007f500a373740(0000) GS:ffff888007a00000(0000)
knlGS:0000000000000000
[ 0.669011] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.669011] CR2: 000000000000003a CR3: 00000000009cc000 CR4:
00000000000006b0
[ 0.669011] Call Trace:
[ 0.669011] ? kmem_cache_alloc+0x1a/0x150
[ 0.669011] ext2_get_inode+0x5e/0x130
[ 0.669011] ? iget_locked+0x1e3/0x1f0
[ 0.669011] ext2_iget+0x81/0x420
[ 0.669011] ext2_lookup+0x79/0xb0
[ 0.669011] __lookup_slow+0x79/0x130
[ 0.669011] walk_component+0x139/0x1b0
[ 0.669011] ? path_init+0x2bd/0x3e0
[ 0.669011] path_lookupat+0x6d/0x1b0
[ 0.669011] filename_lookup+0xa5/0x170
[ 0.669011] ? strncpy_from_user+0x53/0x140
[ 0.669011] user_path_at_empty+0x35/0x40
[ 0.669011] vfs_statx+0x6e/0x110
[ 0.669011] ? handle_mm_fault+0x11ee/0x1280
[ 0.669011] __do_sys_newstat+0x3e/0x70
[ 0.669011] ? irqentry_exit+0x3c/0x60
[ 0.669011] ? exc_page_fault+0x22c/0x380
[ 0.669011] ? __do_sys_rt_sigreturn+0xc5/0xe0
[ 0.669011] __x64_sys_newstat+0x11/0x20
[ 0.669011] do_syscall_64+0x32/0x50
[ 0.669011] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 0.669011] RIP: 0033:0x7f500a462ee6
[ 0.669011] Code: 00 00 75 05 48 83 c4 18 c3 e8 e6 ef 01 00 66 0f 1f
44 00 00 41 89 f8 48 89 f7 48 89 d6 41 83 f8 01 77 29 b8 04 02
[ 0.669011] RSP: 002b:00007ffd1fb01848 EFLAGS: 00000246 ORIG_RAX:
0000000000000004
[ 0.669011] RAX: ffffffffffffffda RBX: 00007ffd1fb019d0 RCX:
00007f500a462ee6
[ 0.669011] RDX: 00007ffd1fb01890 RSI: 00007ffd1fb01890 RDI:
0000561c13db2498
[ 0.669011] RBP: 0000561c13db1778 R08: 0000000000000001 R09:
ff736cff6f647166
[ 0.669011] R10: 00007f500a40b020 R11: 0000000000000246 R12:
0000000000000001
[ 0.669011] R13: 0000561c13db2498 R14: 0000000000000000 R15:
0000000000000000
[ 0.669011] Modules linked in:
[ 0.669011] CR2: 000000000000003a
[ 0.669011] ---[ end trace 05e6cb187fe8bcfc ]---
[ 0.669011] RIP: 0010:ext2_error+0x6d/0x90
[ 0.669011] Code: 30 31 c0 f6 47 50 01 0f 85 04 32 15 00 4d 8d bc 24
80 01 00 00 4c 89 ff e8 f0 a4 16 00 4c 89 ff 66 41 83 8c 24 9f
[ 0.669011] RSP: 0018:ffffc900000d7aa8 EFLAGS: 00010206
[ 0.669011] RAX: 0000000000000000 RBX: ffff888000256000 RCX:
0000000000000077
[ 0.669011] RDX: 0000000000000001 RSI: ffffffff81895e52 RDI:
ffff88800025e380
[ 0.669011] RBP: ffffc900000d7b38 R08: ffff88800048da78 R09:
ffff8880019f8ff4
[ 0.669011] R10: 0000000000000000 R11: ffffffff8f9a8d98 R12:
ffff88800025e200
[ 0.669011] R13: 0000000000000000 R14: ffffffff81895e52 R15:
ffff88800025e380
[ 0.669011] FS: 00007f500a373740(0000) GS:ffff888007a00000(0000)
knlGS:0000000000000000
[ 0.669011] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.669011] CR2: 000000000000003a CR3: 00000000009cc000 CR4:
00000000000006b0
[ 0.669011] note: rcS[25] exited with preempt_count 1
[ 21.773182] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
[ 21.773182] (detected by 0, t=5252 jiffies, g=-1179, q=23)
[ 21.773182] rcu: All QSes seen, last rcu_preempt kthread activity
5252 (4294897676-4294892424), jiffies_till_next_fqs=1, root ->qs0
[ 21.773182] rcu: rcu_preempt kthread starved for 5252 jiffies! g-1179
f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
[ 21.773182] rcu: Unless rcu_preempt kthread gets sufficient CPU
time, OOM is now expected behavior.
[ 21.773182] rcu: RCU grace-period kthread stack dump:
[ 21.773182] task:rcu_preempt state:R running task stack:
0 pid: 11 ppid: 2 flags:0x00004000
[ 21.773182] Call Trace:
[ 21.773182] __schedule+0x191/0x4b0
[ 21.773182] ? __mod_timer+0x235/0x3b0
[ 21.773182] schedule+0x5b/0xd0
[ 21.773182] schedule_timeout+0x7b/0xf0
[ 21.773182] ? lock_timer_base+0x70/0x70
[ 21.773182] rcu_gp_kthread+0x5b5/0xc10
[ 21.773182] ? rcu_cpu_kthread+0xa0/0xa0
[ 21.773182] kthread+0x128/0x150
[ 21.773182] ? __kthread_bind_mask+0x70/0x70
[ 21.773182] ret_from_fork+0x1f/0x30
[ 48.409796] watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [init:1]
[ 48.409796] Modules linked in:
[ 48.409796] CPU: 0 PID: 1 Comm: init Tainted: G D
5.11.0-rc7-00105-g4fb1c4f664da-dirty #247
[ 48.409796] Hardware name: PC engines Standard PC (i440FX + PIIX,
1996)/APU3, BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 044
[ 48.409796] RIP: 0010:native_queued_spin_lock_slowpath+0x11/0x1d0
[ 48.409796] Code: 4d 89 58 08 4c 89 c0 c3 0f 0b 66 66 2e 0f 1f 84 00
00 00 00 00 0f 1f 40 00 8b 05 fa 15 9b 00 85 c0 7e 18 ba 01 00
[ 48.409796] RSP: 0018:ffffc90000013ae0 EFLAGS: 00000202
[ 48.409796] RAX: 0000000000000001 RBX: ffff888000256000 RCX:
00000000000001ad
[ 48.409796] RDX: 0000000000000001 RSI: 0000000000000001 RDI:
ffff88800025e380
[ 48.409796] RBP: ffffc90000013ae8 R08: ffff88800048c268 R09:
ffff8880019fe3f4
[ 48.409796] R10: 0000000000000000 R11: d0918a8dd08d9e89 R12:
ffff88800025e200
[ 48.409796] R13: 0000000000000000 R14: ffffffff81895e52 R15:
ffff88800025e380
[ 48.409796] FS: 00007f1f631eb740(0000) GS:ffff888007a00000(0000)
knlGS:0000000000000000
[ 48.409796] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 48.409796] CR2: 000000000000003a CR3: 00000000009b4000 CR4:
00000000000006b0
[ 48.409796] Call Trace:
[ 48.409796] ? _raw_spin_lock+0x20/0x30
[ 48.409796] ext2_error+0x60/0x90
[ 48.409796] ? kmem_cache_alloc+0x1a/0x150
[ 48.409796] ext2_get_inode+0x5e/0x130
[ 48.409796] ? iget_locked+0x1e3/0x1f0
[ 48.409796] ext2_iget+0x81/0x420
[ 48.409796] ext2_lookup+0x79/0xb0
[ 48.409796] __lookup_slow+0x79/0x130
[ 48.409796] walk_component+0x139/0x1b0
[ 48.409796] link_path_walk.part.0+0x224/0x350
[ 48.409796] ? path_init+0x2bd/0x3e0
[ 48.409796] path_lookupat+0x3a/0x1b0
[ 48.409796] filename_lookup+0xa5/0x170
[ 48.409796] ? __check_object_size+0x131/0x150
[ 48.409796] ? strncpy_from_user+0x53/0x140
[ 48.409796] ? getname_flags+0x47/0x170
[ 48.409796] ? __do_sys_wait4+0x84/0x90
[ 48.409796] user_path_at_empty+0x35/0x40
[ 48.409796] do_faccessat+0x7a/0x240
[ 48.409796] __x64_sys_access+0x18/0x20
[ 48.409796] do_syscall_64+0x32/0x50
[ 48.409796] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 48.409796] RIP: 0033:0x7f1f632dbc77
[ 48.409796] Code: 77 01 c3 48 8b 15 f1 b1 0c 00 f7 d8 64 89 02 48 c7
c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 15 08
[ 48.409796] RSP: 002b:00007ffe90e9bce8 EFLAGS: 00000246 ORIG_RAX:
0000000000000015
[ 48.409796] RAX: ffffffffffffffda RBX: 0000000000000019 RCX:
00007f1f632dbc77
[ 48.409796] RDX: 0000000000000000 RSI: 0000000000000006 RDI:
0000557fcababe83
[ 48.409796] RBP: 0000000000000008 R08: 0000000000000000 R09:
0000000000000000
[ 48.409796] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[ 48.409796] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000019
[ 76.410225] watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [init:1]
[ 76.410225] Modules linked in:
[ 76.410225] CPU: 0 PID: 1 Comm: init Tainted: G D L
5.11.0-rc7-00105-g4fb1c4f664da-dirty #247
[ 76.410225] Hardware name: PC engines Standard PC (i440FX + PIIX,
1996)/APU3, BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 044
[ 76.410225] RIP: 0010:native_queued_spin_lock_slowpath+0x20/0x1d0
[ 76.410225] Code: 84 00 00 00 00 00 0f 1f 40 00 8b 05 fa 15 9b 00 85
c0 7e 18 ba 01 00 00 00 8b 07 85 c0 75 09 3e 0f b1 17 85 c0 78
[ 76.410225] RSP: 0018:ffffc90000013ae0 EFLAGS: 00000202
[ 76.410225] RAX: 0000000000000001 RBX: ffff888000256000 RCX:
00000000000001ad
[ 76.410225] RDX: 0000000000000001 RSI: 0000000000000001 RDI:
ffff88800025e380
[ 76.410225] RBP: ffffc90000013ae8 R08: ffff88800048c268 R09:
ffff8880019fe3f4
[ 76.410225] R10: 0000000000000000 R11: d0918a8dd08d9e89 R12:
ffff88800025e200
[ 76.410225] R13: 0000000000000000 R14: ffffffff81895e52 R15:
ffff88800025e380
[ 76.410225] FS: 00007f1f631eb740(0000) GS:ffff888007a00000(0000)
knlGS:0000000000000000
[ 76.410225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 76.410225] CR2: 000000000000003a CR3: 00000000009b4000 CR4:
00000000000006b0
[ 76.410225] Call Trace:
[ 76.410225] ? _raw_spin_lock+0x20/0x30
[ 76.410225] ext2_error+0x60/0x90
[ 76.410225] ? kmem_cache_alloc+0x1a/0x150
[ 76.410225] ext2_get_inode+0x5e/0x130
[ 76.410225] ? iget_locked+0x1e3/0x1f0
[ 76.410225] ext2_iget+0x81/0x420
[ 76.410225] ext2_lookup+0x79/0xb0
[ 76.410225] __lookup_slow+0x79/0x130
[ 76.410225] walk_component+0x139/0x1b0
[ 76.410225] link_path_walk.part.0+0x224/0x350
[ 76.410225] ? path_init+0x2bd/0x3e0
[ 76.410225] path_lookupat+0x3a/0x1b0
[ 76.410225] filename_lookup+0xa5/0x170
[ 76.410225] ? __check_object_size+0x131/0x150
[ 76.410225] ? strncpy_from_user+0x53/0x140
[ 76.410225] ? getname_flags+0x47/0x170
[ 76.410225] ? __do_sys_wait4+0x84/0x90
[ 76.410225] user_path_at_empty+0x35/0x40
[ 76.410225] do_faccessat+0x7a/0x240
[ 76.410225] __x64_sys_access+0x18/0x20
[ 76.410225] do_syscall_64+0x32/0x50
[ 76.410225] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 76.410225] RIP: 0033:0x7f1f632dbc77
[ 76.410225] Code: 77 01 c3 48 8b 15 f1 b1 0c 00 f7 d8 64 89 02 48 c7
c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 15 08
[ 76.410225] RSP: 002b:00007ffe90e9bce8 EFLAGS: 00000246 ORIG_RAX:
0000000000000015
[ 76.410225] RAX: ffffffffffffffda RBX: 0000000000000019 RCX:
00007f1f632dbc77
[ 76.410225] RDX: 0000000000000000 RSI: 0000000000000006 RDI:
0000557fcababe83
[ 76.410225] RBP: 0000000000000008 R08: 0000000000000000 R09:
0000000000000000
[ 76.410225] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[ 76.410225] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000019
[ 86.094296] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@...ux.net -- +49-151-27565287
Powered by blists - more mailing lists