[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Z-E-vXHVl3dLFYx0@lx-t490>
Date: Mon, 24 Mar 2025 12:15:09 +0100
From: "Ahmed S. Darwish" <darwi@...utronix.de>
To: kernel test robot <oliver.sang@...el.com>
Cc: oe-lkp@...ts.linux.dev, lkp@...el.com, linux-kernel@...r.kernel.org,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Thomas Gleixner <tglx@...utronix.de>,
Andrew Cooper <andrew.cooper3@...rix.com>,
"H. Peter Anvin" <hpa@...or.com>,
John Ogness <john.ogness@...utronix.de>, x86@...nel.org,
x86-cpuid@...ts.linux.dev
Subject: Re: [PATCH v3 22/29] x86/cpu: Use consolidated leaf 0x2 descriptor
table
Hi,
On Mon, 24 Mar 2025, kernel test robot wrote:
>
> [ 5.001760][ T0] BUG: KASAN: stack-out-of-bounds in intel_detect_tlb (arch/x86/kernel/cpu/intel.c:698 arch/x86/kernel/cpu/intel.c:688)
> [ 5.001760][ T0] Read of size 1 at addr ffffffff8a607e80 by task swapper/0/0
> [ 5.001760][ T0]
> [ 5.001760][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.14.0-rc5-00152-ge114ca069e27 #1
> [ 5.001760][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 5.001760][ T0] Call Trace:
> [ 5.001760][ T0] <TASK>
> [ 5.001760][ T0] dump_stack_lvl (lib/dump_stack.c:124)
> [ 5.001760][ T0] print_address_description+0x2c/0x3f0
> [ 5.001760][ T0] ? intel_detect_tlb (arch/x86/kernel/cpu/intel.c:698 arch/x86/kernel/cpu/intel.c:688)
>
I've reproduced the KASAN report and below hunk fixes it:
| --- a/arch/x86/include/asm/cpuid/leaf_0x2_api.h
| +++ b/arch/x86/include/asm/cpuid/leaf_0x2_api.h
| @@ -88,9 +88,9 @@ static inline void cpuid_get_leaf_0x2_regs(union leaf_0x2_regs *regs)
| * }
| * }
| */
| -#define for_each_leaf_0x2_entry(regs, __ptr, entry) \
| - for (__ptr = &(regs).desc[1], entry = &cpuid_0x2_table[*__ptr]; \
| - __ptr < &(regs).desc[16]; \
| - __ptr++, entry = &cpuid_0x2_table[*__ptr])
| +#define for_each_leaf_0x2_entry(regs, __ptr, entry) \
| + for (__ptr = &(regs).desc[1]; \
| + __ptr < &(regs).desc[16] && (entry = &cpuid_0x2_table[*__ptr]); \
| + __ptr++)
I'll include the fix in v4.
(It also makes sense that this was triggered at x86/cpu intel.c and not
x86/cacheinfo, since in cacheinfo.c, CPUID(4) when available is always
preferred to CPUID(2).)
Thanks!
--
Ahmed S. Darwish
Linutronix GmbH
Powered by blists - more mailing lists