| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 20 Mar 2022 21:48:45 +0800
From: kernel test robot <oliver.sang@...el.com>
To: "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>
Cc: Mario Limonciello <Mario.Limonciello@....com>,
Huang Rui <ray.huang@....com>,
Mika Westerberg <mika.westerberg@...ux.intel.com>,
LKML <linux-kernel@...r.kernel.org>, linux-acpi@...r.kernel.org,
devel@...ica.org, linux-pm@...r.kernel.org, lkp@...ts.01.org,
lkp@...el.com
Subject: [ACPI] 2ca8e62852:
BUG:KASAN:slab-out-of-bounds_in_acpi_cppc_processor_probe
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 2ca8e6285250c07a2e5a22ecbfd59b5a4ef73484 ("Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag"")
https://git.kernel.org/cgit/linux/kernel/git/rafael/linux-pm.git bleeding-edge
in testcase: igt
version: igt-x86_64-0fcd59ad-1_20220319
with following parameters:
group: gem_ctx_create
test: active
ucode: 0xec
on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 5.362189][ T1] BUG: KASAN: slab-out-of-bounds in acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.362189][ T1] Read of size 4 at addr ffff888107b6ce30 by task swapper/0/1
[ 5.362189][ T1]
[ 5.362189][ T1] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G I 5.17.0-rc6-00002-g2ca8e6285250 #1
[ 5.362189][ T1] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[ 5.362189][ T1] Call Trace:
[ 5.362189][ T1] <TASK>
[ 5.362189][ T1] dump_stack_lvl (lib/dump_stack.c:107)
[ 5.362189][ T1] print_address_description+0x21/0x180
[ 5.362189][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.362189][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.362189][ T1] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459)
[ 5.362189][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.362189][ T1] acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.362189][ T1] ? down_write (arch/x86/include/asm/atomic64_64.h:34 include/linux/atomic/atomic-long.h:41 include/linux/atomic/atomic-instrumented.h:1280 kernel/locking/rwsem.c:138 kernel/locking/rwsem.c:255 kernel/locking/rwsem.c:1258 kernel/locking/rwsem.c:1268 kernel/locking/rwsem.c:1515)
[ 5.362189][ T1] ? acpi_get_psd_map (drivers/acpi/cppc_acpi.c:647)
[ 5.362189][ T1] ? kernfs_activate (fs/kernfs/dir.c:1312)
[ 5.362189][ T1] ? up_write (arch/x86/include/asm/atomic64_64.h:172 include/linux/atomic/atomic-long.h:95 include/linux/atomic/atomic-instrumented.h:1348 kernel/locking/rwsem.c:1318 kernel/locking/rwsem.c:1567)
[ 5.362189][ T1] ? mutex_unlock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:449 include/linux/atomic/atomic-instrumented.h:1790 kernel/locking/mutex.c:178 kernel/locking/mutex.c:537)
[ 5.362189][ T1] __acpi_processor_start (drivers/acpi/processor_driver.c:229)
[ 5.362189][ T1] acpi_processor_start (drivers/acpi/processor_driver.c:259)
[ 5.362189][ T1] really_probe (drivers/base/dd.c:751)
[ 5.362189][ T1] __driver_probe_device (drivers/base/dd.c:755)
[ 5.362189][ T1] driver_probe_device (drivers/base/dd.c:785)
[ 5.362189][ T1] __driver_attach (drivers/base/dd.c:1145)
[ 5.362189][ T1] ? __device_attach_driver (drivers/base/dd.c:1097)
[ 5.362189][ T1] bus_for_each_dev (drivers/base/bus.c:301)
[ 5.362189][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:153)
[ 5.362189][ T1] ? subsys_dev_iter_exit (drivers/base/bus.c:290)
[ 5.362189][ T1] ? klist_node_init (arch/x86/include/asm/atomic.h:41 include/linux/atomic/atomic-instrumented.h:42 include/linux/refcount.h:136 include/linux/kref.h:31 lib/klist.c:111)
[ 5.362189][ T1] bus_add_driver (drivers/base/bus.c:619)
[ 5.362189][ T1] driver_register (drivers/base/driver.c:171)
[ 5.362189][ T1] acpi_processor_driver_init (drivers/acpi/processor_driver.c:322)
[ 5.362189][ T1] ? acpi_pci_slot_init (drivers/acpi/processor_driver.c:316)
[ 5.362189][ T1] do_one_initcall (init/main.c:1300)
[ 5.362189][ T1] ? trace_event_raw_event_initcall_level (init/main.c:1291)
[ 5.362189][ T1] ? parameq (kernel/params.c:170)
[ 5.362189][ T1] ? kasan_unpoison (mm/kasan/shadow.c:108 mm/kasan/shadow.c:142)
[ 5.362189][ T1] ? __kasan_slab_alloc (mm/kasan/common.c:431 mm/kasan/common.c:469)
[ 5.362189][ T1] kernel_init_freeable (init/main.c:1372 init/main.c:1389 init/main.c:1408 init/main.c:1613)
[ 5.362189][ T1] ? console_on_rootfs (init/main.c:1584)
[ 5.362189][ T1] ? _raw_spin_lock_irq (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:120 kernel/locking/spinlock.c:170)
[ 5.362189][ T1] ? _raw_spin_lock (kernel/locking/spinlock.c:169)
[ 5.362189][ T1] ? rest_init (init/main.c:1494)
[ 5.362189][ T1] kernel_init (init/main.c:1504)
[ 5.362189][ T1] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 5.362189][ T1] </TASK>
[ 5.362189][ T1]
[ 5.362189][ T1] Allocated by task 1:
[ 5.362189][ T1] kasan_save_stack (mm/kasan/common.c:39)
[ 5.362189][ T1] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524)
[ 5.362189][ T1] acpi_ut_initialize_buffer (drivers/acpi/acpica/utalloc.c:327)
[ 5.362189][ T1] acpi_evaluate_object (drivers/acpi/acpica/nsxfeval.c:400)
[ 5.362189][ T1] acpi_evaluate_object_typed (drivers/acpi/acpica/nsxfeval.c:84)
[ 5.362189][ T1] acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:662)
[ 5.362189][ T1] __acpi_processor_start (drivers/acpi/processor_driver.c:229)
[ 5.362189][ T1] acpi_processor_start (drivers/acpi/processor_driver.c:259)
[ 5.362189][ T1] really_probe (drivers/base/dd.c:751)
[ 5.362189][ T1] __driver_probe_device (drivers/base/dd.c:755)
[ 5.362189][ T1] driver_probe_device (drivers/base/dd.c:785)
[ 5.362189][ T1] __driver_attach (drivers/base/dd.c:1145)
[ 5.362189][ T1] bus_for_each_dev (drivers/base/bus.c:301)
[ 5.362189][ T1] bus_add_driver (drivers/base/bus.c:619)
[ 5.362189][ T1] driver_register (drivers/base/driver.c:171)
[ 5.362189][ T1] acpi_processor_driver_init (drivers/acpi/processor_driver.c:322)
[ 5.362189][ T1] do_one_initcall (init/main.c:1300)
[ 5.362189][ T1] kernel_init_freeable (init/main.c:1372 init/main.c:1389 init/main.c:1408 init/main.c:1613)
[ 5.362189][ T1] kernel_init (init/main.c:1504)
[ 5.362189][ T1] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 5.362189][ T1]
[ 5.362189][ T1] The buggy address belongs to the object at ffff888107b6ce00
[ 5.362189][ T1] which belongs to the cache kmalloc-64 of size 64
[ 5.362189][ T1] The buggy address is located 48 bytes inside of
[ 5.362189][ T1] 64-byte region [ffff888107b6ce00, ffff888107b6ce40)
[ 5.362189][ T1] The buggy address belongs to the page:
[ 5.362189][ T1] page:000000003f38ec2c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107b6c
[ 5.362189][ T1] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[ 5.362189][ T1] raw: 0017ffffc0000200 0000000000000000 dead000000000122 ffff888100042640
[ 5.362189][ T1] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 5.362189][ T1] page dumped because: kasan: bad access detected
[ 5.362189][ T1]
[ 5.362189][ T1] Memory state around the buggy address:
[ 5.362189][ T1] ffff888107b6cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 5.362189][ T1] ffff888107b6cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 5.362189][ T1] >ffff888107b6ce00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 5.362189][ T1] ^
[ 5.362189][ T1] ffff888107b6ce80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 5.362189][ T1] ffff888107b6cf00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 5.362189][ T1] ==================================================================
[ 5.362189][ T1] Disabling lock debugging due to kernel taint
[ 5.874911][ T1] thermal LNXTHERM:00: registered as thermal_zone0
[ 5.881386][ T1] ACPI: thermal: Thermal Zone [TZ00] (28 C)
[ 5.891815][ T1] thermal LNXTHERM:01: registered as thermal_zone1
[ 5.898333][ T1] ACPI: thermal: Thermal Zone [TZ01] (30 C)
[ 5.904719][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 5.911928][ T1] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 5.922511][ T1] Non-volatile memory driver v1.3
[ 5.929002][ T1] rdac: device handler registered
[ 5.934241][ T1] hp_sw: device handler registered
[ 5.939338][ T1] emc: device handler registered
[ 5.944440][ T1] alua: device handler registered
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.17.0-rc6-00002-g2ca8e6285250" of type "text/plain" (165720 bytes)
View attachment "job-script" of type "text/plain" (5286 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (23532 bytes)
View attachment "igt" of type "text/plain" (677 bytes)
View attachment "job.yaml" of type "text/plain" (4370 bytes)
View attachment "reproduce" of type "text/plain" (56 bytes)
Powered by blists - more mailing lists