| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Mar 2022 22:35:34 +0800
From: kernel test robot <oliver.sang@...el.com>
To: "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>
Cc: Mario Limonciello <Mario.Limonciello@....com>,
Huang Rui <ray.huang@....com>,
Mika Westerberg <mika.westerberg@...ux.intel.com>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: [ACPI] 2ca8e62852:
BUG:KASAN:slab-out-of-bounds_in_acpi_cppc_processor_probe
(please be noted we reported
"[ACPI] 2ca8e62852: BUG:KASAN:slab-out-of-bounds_in_acpi_cppc_processor_probe"
when the commit is still on devel branch on
https://lore.kernel.org/all/20220320134845.GB6208@xsang-OptiPlex-9020/
now we noticed the commit merged into mainline and in our tests, the issue
still exists, so reported again for information)
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 2ca8e6285250c07a2e5a22ecbfd59b5a4ef73484 ("Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag"")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: xfstests
version: xfstests-x86_64-1de1db8-1_20220217
with following parameters:
disk: 4HDD
fs: btrfs
test: generic-525
ucode: 0xec
test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 5.497580][ T1] BUG: KASAN: slab-out-of-bounds in acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.497580][ T1] Read of size 4 at addr ffff888107b34530 by task swapper/0/1
[ 5.497580][ T1]
[ 5.497580][ T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G I 5.17.0-rc6-00002-g2ca8e6285250 #1
[ 5.497580][ T1] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[ 5.497580][ T1] Call Trace:
[ 5.497580][ T1] <TASK>
[ 5.497580][ T1] dump_stack_lvl (lib/dump_stack.c:107)
[ 5.497580][ T1] print_address_description+0x21/0x180
[ 5.497580][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.497580][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.497580][ T1] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459)
[ 5.497580][ T1] ? acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.497580][ T1] acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:688)
[ 5.497580][ T1] ? down_write (arch/x86/include/asm/atomic64_64.h:34 include/linux/atomic/atomic-long.h:41 include/linux/atomic/atomic-instrumented.h:1280 kernel/locking/rwsem.c:138 kernel/locking/rwsem.c:255 kernel/locking/rwsem.c:1258 kernel/locking/rwsem.c:1268 kernel/locking/rwsem.c:1515)
[ 5.497580][ T1] ? acpi_get_psd_map (drivers/acpi/cppc_acpi.c:647)
[ 5.497580][ T1] ? kernfs_activate (fs/kernfs/dir.c:1312)
[ 5.497580][ T1] ? up_write (arch/x86/include/asm/atomic64_64.h:172 include/linux/atomic/atomic-long.h:95 include/linux/atomic/atomic-instrumented.h:1348 kernel/locking/rwsem.c:1318 kernel/locking/rwsem.c:1567)
[ 5.497580][ T1] ? mutex_unlock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:449 include/linux/atomic/atomic-instrumented.h:1790 kernel/locking/mutex.c:178 kernel/locking/mutex.c:537)
[ 5.497580][ T1] __acpi_processor_start (drivers/acpi/processor_driver.c:229)
[ 5.497580][ T1] acpi_processor_start (drivers/acpi/processor_driver.c:259)
[ 5.497580][ T1] really_probe (drivers/base/dd.c:751)
[ 5.497580][ T1] __driver_probe_device (drivers/base/dd.c:755)
[ 5.497580][ T1] driver_probe_device (drivers/base/dd.c:785)
[ 5.497580][ T1] __driver_attach (drivers/base/dd.c:1145)
[ 5.497580][ T1] ? __device_attach_driver (drivers/base/dd.c:1097)
[ 5.497580][ T1] bus_for_each_dev (drivers/base/bus.c:301)
[ 5.497580][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:153)
[ 5.497580][ T1] ? subsys_dev_iter_exit (drivers/base/bus.c:290)
[ 5.497580][ T1] ? klist_node_init (arch/x86/include/asm/atomic.h:41 include/linux/atomic/atomic-instrumented.h:42 include/linux/refcount.h:136 include/linux/kref.h:31 lib/klist.c:111)
[ 5.497580][ T1] bus_add_driver (drivers/base/bus.c:619)
[ 5.497580][ T1] driver_register (drivers/base/driver.c:171)
[ 5.497580][ T1] acpi_processor_driver_init (drivers/acpi/processor_driver.c:322)
[ 5.497580][ T1] ? acpi_pci_slot_init (drivers/acpi/processor_driver.c:316)
[ 5.497580][ T1] do_one_initcall (init/main.c:1300)
[ 5.497580][ T1] ? trace_event_raw_event_initcall_level (init/main.c:1291)
[ 5.497580][ T1] ? parameq (kernel/params.c:170)
[ 5.497580][ T1] ? kasan_unpoison (mm/kasan/shadow.c:108 mm/kasan/shadow.c:142)
[ 5.497580][ T1] ? __kasan_slab_alloc (mm/kasan/common.c:431 mm/kasan/common.c:469)
[ 5.497580][ T1] kernel_init_freeable (init/main.c:1372 init/main.c:1389 init/main.c:1408 init/main.c:1613)
[ 5.497580][ T1] ? console_on_rootfs (init/main.c:1584)
[ 5.497580][ T1] ? _raw_spin_lock_irq (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:120 kernel/locking/spinlock.c:170)
[ 5.497580][ T1] ? _raw_spin_lock (kernel/locking/spinlock.c:169)
[ 5.497580][ T1] ? rest_init (init/main.c:1494)
[ 5.497580][ T1] kernel_init (init/main.c:1504)
[ 5.497580][ T1] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 5.497580][ T1] </TASK>
[ 5.497580][ T1]
[ 5.497580][ T1] Allocated by task 1:
[ 5.497580][ T1] kasan_save_stack (mm/kasan/common.c:39)
[ 5.497580][ T1] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524)
[ 5.497580][ T1] acpi_ut_initialize_buffer (drivers/acpi/acpica/utalloc.c:327)
[ 5.497580][ T1] acpi_evaluate_object (drivers/acpi/acpica/nsxfeval.c:400)
[ 5.497580][ T1] acpi_evaluate_object_typed (drivers/acpi/acpica/nsxfeval.c:84)
[ 5.497580][ T1] acpi_cppc_processor_probe (drivers/acpi/cppc_acpi.c:662)
[ 5.497580][ T1] __acpi_processor_start (drivers/acpi/processor_driver.c:229)
[ 5.497580][ T1] acpi_processor_start (drivers/acpi/processor_driver.c:259)
[ 5.497580][ T1] really_probe (drivers/base/dd.c:751)
[ 5.497580][ T1] __driver_probe_device (drivers/base/dd.c:755)
[ 5.497580][ T1] driver_probe_device (drivers/base/dd.c:785)
[ 5.497580][ T1] __driver_attach (drivers/base/dd.c:1145)
[ 5.497580][ T1] bus_for_each_dev (drivers/base/bus.c:301)
[ 5.497580][ T1] bus_add_driver (drivers/base/bus.c:619)
[ 5.497580][ T1] driver_register (drivers/base/driver.c:171)
[ 5.497580][ T1] acpi_processor_driver_init (drivers/acpi/processor_driver.c:322)
[ 5.497580][ T1] do_one_initcall (init/main.c:1300)
[ 5.497580][ T1] kernel_init_freeable (init/main.c:1372 init/main.c:1389 init/main.c:1408 init/main.c:1613)
[ 5.497580][ T1] kernel_init (init/main.c:1504)
[ 5.497580][ T1] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 5.497580][ T1]
[ 5.497580][ T1] The buggy address belongs to the object at ffff888107b34500
[ 5.497580][ T1] which belongs to the cache kmalloc-64 of size 64
[ 5.497580][ T1] The buggy address is located 48 bytes inside of
[ 5.497580][ T1] 64-byte region [ffff888107b34500, ffff888107b34540)
[ 5.497580][ T1] The buggy address belongs to the page:
[ 5.497580][ T1] page:00000000a9f33e01 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107b34
[ 5.497580][ T1] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[ 5.497580][ T1] raw: 0017ffffc0000200 0000000000000000 dead000000000122 ffff888100042640
[ 5.497580][ T1] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 5.497580][ T1] page dumped because: kasan: bad access detected
[ 5.497580][ T1]
[ 5.497580][ T1] Memory state around the buggy address:
[ 5.497580][ T1] ffff888107b34400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 5.497580][ T1] ffff888107b34480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 5.497580][ T1] >ffff888107b34500: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 5.497580][ T1] ^
[ 5.497580][ T1] ffff888107b34580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 5.497580][ T1] ffff888107b34600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 5.497580][ T1] ==================================================================
[ 5.497580][ T1] Disabling lock debugging due to kernel taint
[ 6.012460][ T1] thermal LNXTHERM:00: registered as thermal_zone0
[ 6.018941][ T1] ACPI: thermal: Thermal Zone [TZ00] (28 C)
[ 6.028002][ T1] thermal LNXTHERM:01: registered as thermal_zone1
[ 6.034483][ T1] ACPI: thermal: Thermal Zone [TZ01] (30 C)
[ 6.040918][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 6.048181][ T1] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 6.058836][ T1] Non-volatile memory driver v1.3
[ 6.065286][ T1] rdac: device handler registered
[ 6.070527][ T1] hp_sw: device handler registered
[ 6.075628][ T1] emc: device handler registered
[ 6.080807][ T1] alua: device handler registered
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.17.0-rc6-00002-g2ca8e6285250" of type "text/plain" (165720 bytes)
View attachment "job-script" of type "text/plain" (5560 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (28020 bytes)
View attachment "xfstests" of type "text/plain" (627 bytes)
View attachment "job.yaml" of type "text/plain" (4684 bytes)
View attachment "reproduce" of type "text/plain" (651 bytes)
Powered by blists - more mailing lists