lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20220218083410.GB4377@xsang-OptiPlex-9020>
Date:   Fri, 18 Feb 2022 16:34:10 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Ville Syrjälä <ville.syrjala@...ux.intel.com>
Cc:     Manasi Navare <manasi.d.navare@...el.com>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com
Subject: [drm/i915]  a6e7a006f5:
 UBSAN:shift-out-of-bounds_in_drivers/gpu/drm/i915/display/intel_display.c



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: a6e7a006f5d551ee0827059300148e1c9cf4f9a3 ("drm/i915: Change bigjoiner state tracking to use the pipe bitmask")
url: https://github.com/0day-ci/linux/commits/Imre-Deak/drm-i915-Disconnect-PHYs-left-connected-by-BIOS-on-disabled-ports/20220217-232408

in testcase: igt
version: igt-x86_64-59c59f45-1_20220212
with following parameters:

	group: group-18
	ucode: 0xc2



on test machine: 20 threads 1 sockets Commet Lake with 16G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   41.325025][ T1231] UBSAN: shift-out-of-bounds in drivers/gpu/drm/i915/display/intel_display.c:348:40
[   41.335986][ T1231] shift exponent -1 is negative
[   41.340674][ T1231] CPU: 9 PID: 1231 Comm: core_hotunplug Not tainted 5.17.0-rc2-00221-ga6e7a006f5d5 #1
[   41.350000][ T1231] Call Trace:
[   41.353131][ T1231]  <TASK>
[ 41.355913][ T1231] dump_stack_lvl (lib/dump_stack.c:107) 
[ 41.360249][ T1231] ubsan_epilogue (lib/ubsan.c:152) 
[ 41.364502][ T1231] __ubsan_handle_shift_out_of_bounds.cold (lib/ubsan.c:330) 
[ 41.371069][ T1231] ? skl_detach_scaler+0x2b/0x480 i915
[ 41.377214][ T1231] intel_crtc_bigjoiner_slave_pipes.cold (drivers/gpu/drm/i915/i915_trace.h:646) i915
[ 41.384211][ T1231] intel_ddi_post_disable (drivers/gpu/drm/i915/display/intel_ddi.c:2725 (discriminator 4)) i915
[ 41.390088][ T1231] intel_encoders_post_disable (drivers/gpu/drm/i915/display/intel_display.c:1657) i915
[ 41.396392][ T1231] intel_old_crtc_state_disables+0x9f/0x280 i915
[ 41.403386][ T1231] intel_atomic_commit_tail (drivers/gpu/drm/i915/display/intel_display.c:8270 drivers/gpu/drm/i915/display/intel_display.c:8552) i915
[ 41.409514][ T1231] ? intel_get_crtc_new_encoder (drivers/gpu/drm/i915/display/intel_display.c:8524) i915
[ 41.415902][ T1231] ? __i915_sw_fence_complete (drivers/gpu/drm/i915/i915_sw_fence.c:131 drivers/gpu/drm/i915/i915_sw_fence.c:209 drivers/gpu/drm/i915/i915_sw_fence.c:191) i915
[ 41.422102][ T1231] ? flush_workqueue_prep_pwqs (kernel/workqueue.c:2816) 
[ 41.427729][ T1231] intel_atomic_commit (drivers/gpu/drm/i915/display/intel_display.c:8825) i915
[ 41.433338][ T1231] drm_atomic_helper_disable_all (drivers/gpu/drm/drm_atomic_helper.c:3118) drm_kms_helper
[ 41.440613][ T1231] drm_atomic_helper_shutdown (drivers/gpu/drm/drm_atomic_helper.c:3144 (discriminator 6)) drm_kms_helper
[ 41.447638][ T1231] ? drm_atomic_helper_disable_all (drivers/gpu/drm/drm_atomic_helper.c:3137) drm_kms_helper
[ 41.455076][ T1231] ? kasan_set_track (mm/kasan/common.c:45) 
[ 41.459674][ T1231] ? kfree (mm/slub.c:1754 mm/slub.c:3509 mm/slub.c:4562) 
[ 41.463730][ T1231] ? component_del (drivers/base/component.c:767) 
[ 41.468320][ T1231] intel_display_driver_unregister (drivers/gpu/drm/i915/display/intel_display.c:10812) i915
[ 41.474798][ T1231] i915_driver_remove (drivers/gpu/drm/i915/i915_drv.h:882 drivers/gpu/drm/i915/i915_driver.c:739 drivers/gpu/drm/i915/i915_driver.c:937) i915
[ 41.480211][ T1231] i915_pci_remove (include/linux/device.h:698 include/linux/pci.h:1962 drivers/gpu/drm/i915/i915_pci.c:1152) i915
[ 41.485289][ T1231] pci_device_remove (drivers/pci/pci-driver.c:464) 
[ 41.489970][ T1231] device_release_driver_internal (drivers/base/dd.c:1204 drivers/base/dd.c:1237) 
[ 41.495848][ T1231] unbind_store (drivers/base/bus.c:194) 
[ 41.500187][ T1231] ? sysfs_kf_bin_read (fs/sysfs/file.c:129) 
[ 41.505122][ T1231] kernfs_fop_write_iter (fs/kernfs/file.c:296) 
[ 41.510230][ T1231] new_sync_write (include/linux/fs.h:2074 (discriminator 1) fs/read_write.c:503 (discriminator 1)) 
[ 41.514734][ T1231] ? new_sync_read (fs/read_write.c:493) 
[ 41.519325][ T1231] ? kasan_set_track (mm/kasan/common.c:45) 
[ 41.523920][ T1231] vfs_write (fs/read_write.c:590) 
[ 41.528003][ T1231] ksys_write (fs/read_write.c:643) 
[ 41.532082][ T1231] ? __ia32_sys_read (fs/read_write.c:633) 
[ 41.536679][ T1231] ? filp_open (fs/open.c:1228) 
[ 41.540751][ T1231] ? exit_to_user_mode_prepare (include/linux/sched.h:2224 include/linux/tracehook.h:200 kernel/entry/common.c:175 kernel/entry/common.c:207) 
[ 41.546385][ T1231] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 41.550633][ T1231] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) 
[   41.556351][ T1231] RIP: 0033:0x7f33487f5471
[ 41.560606][ T1231] Code: 00 00 75 05 48 83 c4 58 c3 e8 0b 4d ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 8b 05 da ef 00 00 85 c0 75 16 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	75 05                	jne    0x9
   4:	48 83 c4 58          	add    $0x58,%rsp
   8:	c3                   	retq   
   9:	e8 0b 4d ff ff       	callq  0xffffffffffff4d19
   e:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  15:	00 00 00 
  18:	90                   	nop
  19:	8b 05 da ef 00 00    	mov    0xefda(%rip),%eax        # 0xeff9
  1f:	85 c0                	test   %eax,%eax
  21:	75 16                	jne    0x39
  23:	b8 01 00 00 00       	mov    $0x1,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 57                	ja     0x89
  32:	c3                   	retq   
  33:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  39:	41 54                	push   %r12
  3b:	49 89 d4             	mov    %rdx,%r12
  3e:	55                   	push   %rbp
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 57                	ja     0x5f
   8:	c3                   	retq   
   9:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
   f:	41 54                	push   %r12
  11:	49 89 d4             	mov    %rdx,%r12
  14:	55                   	push   %rbp
  15:	48                   	rex.W
[   41.579906][ T1231] RSP: 002b:00007ffc16927858 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   41.588116][ T1231] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f33487f5471
[   41.595888][ T1231] RDX: 000000000000000c RSI: 00007f334a1cd12c RDI: 0000000000000004
[   41.603659][ T1231] RBP: 00007f334a1cd12c R08: 0000000000000000 R09: 00007f334a1aef90
[   41.611430][ T1231] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[   41.619206][ T1231] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   41.626980][ T1231]  </TASK>
[   41.629869][ T1231] ================================================================================
[   41.739693][ T1231] [IGT] core_hotunplug: rebinding the driver to the device
[   41.747640][ T1231] i915 0000:00:02.0: vgaarb: deactivate vga console
[   41.765945][  T166] i915 0000:00:02.0: Direct firmware load for i915/kbl_dmc_ver1_04.bin failed with error -2
[   41.775993][  T166] i915 0000:00:02.0: [drm] Failed to load DMC firmware i915/kbl_dmc_ver1_04.bin. Disabling runtime power management.
[   41.788003][  T166] i915 0000:00:02.0: [drm] DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915
[   42.559039][  T492] result_service: raw_upload, RESULT_MNT: /internal-lkp-server/result, RESULT_ROOT: /internal-lkp-server/result/igt/group-18-ucode=0xc2/lkp-cml-d02/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3-func/gcc-9/a6e7a006f5d551ee0827059300148e1c9cf4f9a3/3, TMP_RESULT_ROOT: /tmp/lkp/result
[   42.559047][  T492]
[   42.590026][  T492] run-job /lkp/jobs/scheduled/lkp-cml-d02/igt-group-18-ucode=0xc2-debian-10.4-x86_64-20200603.cgz-a6e7a006f5d551ee0827059300148e1c9cf4f9a3-20220218-61918-x4mm0l-4.yaml
[   42.590030][  T492]
[   42.902390][ T1231] i915 0000:00:02.0: [drm] failed to retrieve link info, disabling eDP
[   42.916520][ T1231] [drm] Initialized i915 1.6.0 20201103 for 0000:00:02.0 on minor 0
[   42.943203][ T1231] ACPI: video: Video Device [GFX0] (multi-head: yes  rom: no  post: no)
[   42.959769][ T1231] acpi device:15: registered as cooling_device26
[   42.966621][ T1231] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/LNXVIDEO:00/input/input8
[   42.981282][ T1231] [IGT] core_hotunplug: reopening DRM device for health check
[   42.989416][ T1231] [IGT] core_hotunplug: running i915 GPU healthcheck
[   42.998441][ T1231] [IGT] core_hotunplug: running device sysfs healthcheck
[   43.005634][ T1231] [IGT] core_hotunplug: running i915 device perf healthcheck
[   43.014504][ T1231] [IGT] core_hotunplug: closing health checked device instance
[   43.022891][  T118] fbcon: i915drmfb (fb0) is primary device
[   43.042385][  T118] Console: switching to colour frame buffer device 160x64
[   43.074272][  T118] i915 0000:00:02.0: [drm] fb0: i915drmfb frame buffer device
[   43.158864][ T1231] [IGT] core_hotunplug: reopening render device for health check
[   43.167380][ T1231] [IGT] core_hotunplug: running i915 GPU healthcheck
[   43.175181][ T1231] [IGT] core_hotunplug: running device sysfs healthcheck
[   43.182239][ T1231] [IGT] core_hotunplug: running i915 device perf healthcheck
[   43.189665][ T1231] [IGT] core_hotunplug: closing health checked device instance
[   43.225828][ T1231] [IGT] core_hotunplug: exiting, ret=0
[   43.300026][ T1274] Console: switching to colour dummy device 80x25
[   43.306353][ T1274] [IGT] drm_import_export: executing
[   43.329501][ T1274] [IGT] drm_import_export: exiting, ret=77
[   43.335488][ T1274] Console: switching to colour frame buffer device 160x64
[   43.398010][ T1296] Console: switching to colour dummy device 80x25
[   43.404308][ T1296] [IGT] drm_import_export: executing
[   43.411048][ T1296] [IGT] drm_import_export: exiting, ret=77
[   43.417019][ T1296] Console: switching to colour frame buffer device 160x64
[   43.420794][  T492] /usr/bin/wget -q --timeout=1800 --tries=1 --local-encoding=UTF-8 http://internal-lkp-server:80/~lkp/cgi-bin/lkp-jobfile-append-var?job_file=/lkp/jobs/scheduled/lkp-cml-d02/igt-group-18-ucode=0xc2-debian-10.4-x86_64-20200603.cgz-a6e7a006f5d551ee0827059300148e1c9cf4f9a3-20220218-61918-x4mm0l-4.yaml&job_state=running -O /dev/null
[   43.426726][  T492]
[   43.459694][  T492] target ucode: 0xc2
[   43.459699][  T492]
[   43.466255][  T492] current_version: c2, target_version: c2
[   43.466259][  T492]
[   43.474521][  T492] LKP SKIP igt@...e_hotunplug@...rebind
[   43.474525][  T492]
[   43.482401][ T1318] Console: switching to colour dummy device 80x25
[   43.482805][  T492] LKP SKIP igt@...e_hotunplug@...rebind-lateclose
[   43.488644][  T492]
[   43.490475][ T1318] [IGT] drm_import_export: executing
[   43.495462][  T492] LKP SKIP igt@...e_hotunplug@...replug
[   43.502218][  T492]
[   43.510476][  T492] LKP SKIP igt@...e_hotunplug@...replug-lateclose
[   43.510480][  T492]
[   43.519558][  T492] LKP SKIP igt@...e_hotunplug@...unbind-rebind
[   43.519561][  T492]
[   43.528340][  T492] LKP SKIP igt@...e_hotunplug@...unplug-rescan
[   43.528344][  T492]
[   43.531271][ T1318] [IGT] drm_import_export: exiting, ret=77
[   43.535361][  T492] 2022-02-17 22:13:38 build/tests/core_hotunplug --run-subtest unbind-rebind
[   43.542147][  T492]
[   43.543247][  T492] IGT-Version: 1.26-g59c59f45 (x86_64) (Linux: 5.17.0-rc2-00221-ga6e7a006f5d5 x86_64)
[   43.552930][  T492]
[   43.553050][ T1318] Console: switching to colour frame buffer device 160x64
[   43.553330][  T492] Starting subtest: unbind-rebind
[   43.553333][  T492]
[   43.553835][  T492] Subtest unbind-rebind: SUCCESS (2.021s)


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.17.0-rc2-00221-ga6e7a006f5d5" of type "text/plain" (178964 bytes)

View attachment "job-script" of type "text/plain" (5283 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (17316 bytes)

View attachment "igt" of type "text/plain" (48364 bytes)

View attachment "job.yaml" of type "text/plain" (4324 bytes)

View attachment "reproduce" of type "text/plain" (9232 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ