lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20220320134845.GB6208@xsang-OptiPlex-9020>
Date:   Sun, 20 Mar 2022 21:48:45 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>
Cc:     Mario Limonciello <Mario.Limonciello@....com>,
        Huang Rui <ray.huang@....com>,
        Mika Westerberg <mika.westerberg@...ux.intel.com>,
        LKML <linux-kernel@...r.kernel.org>, linux-acpi@...r.kernel.org,
        devel@...ica.org, linux-pm@...r.kernel.org, lkp@...ts.01.org,
        lkp@...el.com
Subject: [ACPI]  2ca8e62852:
 BUG:KASAN:slab-out-of-bounds_in_acpi_cppc_processor_probe



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 2ca8e6285250c07a2e5a22ecbfd59b5a4ef73484 ("Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag"")
https://git.kernel.org/cgit/linux/kernel/git/rafael/linux-pm.git bleeding-edge

in testcase: igt
version: igt-x86_64-0fcd59ad-1_20220319
with following parameters:

	group: gem_ctx_create
	test: active
	ucode: 0xec



on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 5.362189][ T1] BUG: KASAN: slab-out-of-bounds in acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688) 
[    5.362189][    T1] Read of size 4 at addr ffff888107b6ce30 by task swapper/0/1
[    5.362189][    T1]
[    5.362189][    T1] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G          I       5.17.0-rc6-00002-g2ca8e6285250 #1
[    5.362189][    T1] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[    5.362189][    T1] Call Trace:
[    5.362189][    T1]  <TASK>
[ 5.362189][ T1] dump_stack_lvl (lib/dump_stack.c:107) 
[ 5.362189][ T1] print_address_description+0x21/0x180 
[ 5.362189][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688) 
[ 5.362189][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688) 
[ 5.362189][ T1] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459) 
[ 5.362189][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688) 
[ 5.362189][ T1] acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688) 
[ 5.362189][ T1] ? down_write (arch/x86/include/asm/atomic64_64.h:34 include/linux/atomic/atomic-long.h:41 include/linux/atomic/atomic-instrumented.h:1280 kernel/locking/rwsem.c:138 kernel/locking/rwsem.c:255 kernel/locking/rwsem.c:1258 kernel/locking/rwsem.c:1268 kernel/locking/rwsem.c:1515) 
[ 5.362189][ T1] ? acpi_get_psd_map (drivers/acpi/cppc_acpi.c:647) 
[ 5.362189][ T1] ? kernfs_activate (fs/kernfs/dir.c:1312) 
[ 5.362189][ T1] ? up_write (arch/x86/include/asm/atomic64_64.h:172 include/linux/atomic/atomic-long.h:95 include/linux/atomic/atomic-instrumented.h:1348 kernel/locking/rwsem.c:1318 kernel/locking/rwsem.c:1567) 
[ 5.362189][ T1] ? mutex_unlock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:449 include/linux/atomic/atomic-instrumented.h:1790 kernel/locking/mutex.c:178 kernel/locking/mutex.c:537) 
[ 5.362189][ T1] __acpi_processor_start (drivers/acpi/processor_driver.c:229) 
[ 5.362189][ T1] acpi_processor_start (drivers/acpi/processor_driver.c:259) 
[ 5.362189][ T1] really_probe (drivers/base/dd.c:751) 
[ 5.362189][ T1] __driver_probe_device (drivers/base/dd.c:755) 
[ 5.362189][ T1] driver_probe_device (drivers/base/dd.c:785) 
[ 5.362189][ T1] __driver_attach (drivers/base/dd.c:1145) 
[ 5.362189][ T1] ? __device_attach_driver (drivers/base/dd.c:1097) 
[ 5.362189][ T1] bus_for_each_dev (drivers/base/bus.c:301) 
[ 5.362189][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:153) 
[ 5.362189][ T1] ? subsys_dev_iter_exit (drivers/base/bus.c:290) 
[ 5.362189][ T1] ? klist_node_init (arch/x86/include/asm/atomic.h:41 include/linux/atomic/atomic-instrumented.h:42 include/linux/refcount.h:136 include/linux/kref.h:31 lib/klist.c:111) 
[ 5.362189][ T1] bus_add_driver (drivers/base/bus.c:619) 
[ 5.362189][ T1] driver_register (drivers/base/driver.c:171) 
[ 5.362189][ T1] acpi_processor_driver_init (drivers/acpi/processor_driver.c:322) 
[ 5.362189][ T1] ? acpi_pci_slot_init (drivers/acpi/processor_driver.c:316) 
[ 5.362189][ T1] do_one_initcall (init/main.c:1300) 
[ 5.362189][ T1] ? trace_event_raw_event_initcall_level (init/main.c:1291) 
[ 5.362189][ T1] ? parameq (kernel/params.c:170) 
[ 5.362189][ T1] ? kasan_unpoison (mm/kasan/shadow.c:108 mm/kasan/shadow.c:142) 
[ 5.362189][ T1] ? __kasan_slab_alloc (mm/kasan/common.c:431 mm/kasan/common.c:469) 
[ 5.362189][ T1] kernel_init_freeable (init/main.c:1372 init/main.c:1389 init/main.c:1408 init/main.c:1613) 
[ 5.362189][ T1] ? console_on_rootfs (init/main.c:1584) 
[ 5.362189][ T1] ? _raw_spin_lock_irq (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:120 kernel/locking/spinlock.c:170) 
[ 5.362189][ T1] ? _raw_spin_lock (kernel/locking/spinlock.c:169) 
[ 5.362189][ T1] ? rest_init (init/main.c:1494) 
[ 5.362189][ T1] kernel_init (init/main.c:1504) 
[ 5.362189][ T1] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[    5.362189][    T1]  </TASK>
[    5.362189][    T1]
[    5.362189][    T1] Allocated by task 1:
[ 5.362189][ T1] kasan_save_stack (mm/kasan/common.c:39) 
[ 5.362189][ T1] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524) 
[ 5.362189][ T1] acpi_ut_initialize_buffer (drivers/acpi/acpica/utalloc.c:327) 
[ 5.362189][ T1] acpi_evaluate_object (drivers/acpi/acpica/nsxfeval.c:400) 
[ 5.362189][ T1] acpi_evaluate_object_typed (drivers/acpi/acpica/nsxfeval.c:84) 
[ 5.362189][ T1] acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:662) 
[ 5.362189][ T1] __acpi_processor_start (drivers/acpi/processor_driver.c:229) 
[ 5.362189][ T1] acpi_processor_start (drivers/acpi/processor_driver.c:259) 
[ 5.362189][ T1] really_probe (drivers/base/dd.c:751) 
[ 5.362189][ T1] __driver_probe_device (drivers/base/dd.c:755) 
[ 5.362189][ T1] driver_probe_device (drivers/base/dd.c:785) 
[ 5.362189][ T1] __driver_attach (drivers/base/dd.c:1145) 
[ 5.362189][ T1] bus_for_each_dev (drivers/base/bus.c:301) 
[ 5.362189][ T1] bus_add_driver (drivers/base/bus.c:619) 
[ 5.362189][ T1] driver_register (drivers/base/driver.c:171) 
[ 5.362189][ T1] acpi_processor_driver_init (drivers/acpi/processor_driver.c:322) 
[ 5.362189][ T1] do_one_initcall (init/main.c:1300) 
[ 5.362189][ T1] kernel_init_freeable (init/main.c:1372 init/main.c:1389 init/main.c:1408 init/main.c:1613) 
[ 5.362189][ T1] kernel_init (init/main.c:1504) 
[ 5.362189][ T1] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[    5.362189][    T1]
[    5.362189][    T1] The buggy address belongs to the object at ffff888107b6ce00
[    5.362189][    T1]  which belongs to the cache kmalloc-64 of size 64
[    5.362189][    T1] The buggy address is located 48 bytes inside of
[    5.362189][    T1]  64-byte region [ffff888107b6ce00, ffff888107b6ce40)
[    5.362189][    T1] The buggy address belongs to the page:
[    5.362189][    T1] page:000000003f38ec2c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107b6c
[    5.362189][    T1] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[    5.362189][    T1] raw: 0017ffffc0000200 0000000000000000 dead000000000122 ffff888100042640
[    5.362189][    T1] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[    5.362189][    T1] page dumped because: kasan: bad access detected
[    5.362189][    T1]
[    5.362189][    T1] Memory state around the buggy address:
[    5.362189][    T1]  ffff888107b6cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    5.362189][    T1]  ffff888107b6cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    5.362189][    T1] >ffff888107b6ce00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[    5.362189][    T1]                                      ^
[    5.362189][    T1]  ffff888107b6ce80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[    5.362189][    T1]  ffff888107b6cf00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[    5.362189][    T1] ==================================================================
[    5.362189][    T1] Disabling lock debugging due to kernel taint
[    5.874911][    T1] thermal LNXTHERM:00: registered as thermal_zone0
[    5.881386][    T1] ACPI: thermal: Thermal Zone [TZ00] (28 C)
[    5.891815][    T1] thermal LNXTHERM:01: registered as thermal_zone1
[    5.898333][    T1] ACPI: thermal: Thermal Zone [TZ01] (30 C)
[    5.904719][    T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    5.911928][    T1] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[    5.922511][    T1] Non-volatile memory driver v1.3
[    5.929002][    T1] rdac: device handler registered
[    5.934241][    T1] hp_sw: device handler registered
[    5.939338][    T1] emc: device handler registered
[    5.944440][    T1] alua: device handler registered


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-5.17.0-rc6-00002-g2ca8e6285250" of type "text/plain" (165720 bytes)

View attachment "job-script" of type "text/plain" (5286 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (23532 bytes)

View attachment "igt" of type "text/plain" (677 bytes)

View attachment "job.yaml" of type "text/plain" (4370 bytes)

View attachment "reproduce" of type "text/plain" (56 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ