[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <88f1df7e-8347-45f7-a2a1-e321e72e4009@linux.ibm.com>
Date: Tue, 7 Oct 2025 10:59:12 +0530
From: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>
To: LKML <linux-kernel@...r.kernel.org>,
linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>,
Madhavan Srinivasan <maddy@...ux.ibm.com>,
linux-kselftest@...r.kernel.org
Subject: [linux-next20251003] tmp2 selftests resulting in Kernel OOPs
Greetings!!!
IBM CI has reported a kernel OOPs while running TPM2selftests on IBM
Power11 system with linux-next20251002 kernel.
Test Case:
make run_tests
TAP version 13
1..3
# timeout set to 600
# selftests: tpm2: test_smoke.sh
# test_read_partial_overwrite (tpm2_tests.SmokeTest) ... ok
# test_read_partial_resp (tpm2_tests.SmokeTest) ... ok
# test_seal_with_auth (tpm2_tests.SmokeTest) ... ok
# test_seal_with_policy (tpm2_tests.SmokeTest) ... ok
# test_seal_with_too_long_auth (tpm2_tests.SmokeTest) ... ok
# test_send_two_cmds (tpm2_tests.SmokeTest) ... ok
# test_too_short_cmd (tpm2_tests.SmokeTest) ... ok
# test_unseal_with_wrong_auth (tpm2_tests.SmokeTest) ... ok
# test_unseal_with_wrong_policy (tpm2_tests.SmokeTest) ... ERROR
#
# ======================================================================
# ERROR: test_unseal_with_wrong_policy (tpm2_tests.SmokeTest)
# -----------------------------------------------------
Traces:
[ 452.604333] BUG: KASAN: slab-use-after-free in tpmrm_release+0x78/0xa8
[ 452.604345] Read of size 8 at addr c00000001c650000 by task python3/1856
[ 452.604353]
[ 452.604358] CPU: 24 UID: 0 PID: 1856 Comm: python3 Kdump: loaded Not
tainted 6.17.0-next-20251003 #1 VOLUNTARY
[ 452.604364] Hardware name: IBM,9080-HEX Power11 (architected)
0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries
[ 452.604368] Call Trace:
[ 452.604370] [c0000000c1867840] [c00000000187ea4c]
dump_stack_lvl+0x84/0xe8 (unreliable)
[ 452.604380] [c0000000c1867870] [c000000000803754]
print_address_description.constprop.0+0x11c/0x56c
[ 452.604388] [c0000000c1867910] [c000000000803c84] print_report+0xe0/0x358
[ 452.604394] [c0000000c18679e0] [c000000000804124]
kasan_report+0x128/0x1f4
[ 452.604400] [c0000000c1867af0] [c0000000008062b4] __asan_load8+0xa8/0xe0
[ 452.604406] [c0000000c1867b10] [c000000000f2ec18] tpmrm_release+0x78/0xa8
[ 452.604412] [c0000000c1867b40] [c0000000008b6a2c] __fput+0x21c/0x60c
[ 452.604417] [c0000000c1867bc0] [c0000000008ada70] sys_close+0x74/0xd0
[ 452.604424] [c0000000c1867bf0] [c000000000039270]
system_call_exception+0x1e0/0x460
[ 452.604431] [c0000000c1867e50] [c00000000000d05c]
system_call_vectored_common+0x15c/0x2ec
[ 452.604438] ---- interrupt: 3000 at 0x7fffb7534ab4
[ 452.604443] NIP: 00007fffb7534ab4 LR: 00007fffb7534ab4 CTR:
0000000000000000
[ 452.604446] REGS: c0000000c1867e80 TRAP: 3000 Not tainted
(6.17.0-next-20251003)
[ 452.604449] MSR: 800000000280f033
<SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44284422 XER: 00000000
[ 452.604466] IRQMASK: 0
[ 452.604466] GPR00: 0000000000000006 00007ffff65d76b0 00007fffb7c17700
0000000000000006
[ 452.604466] GPR04: 0000000000000000 0000000000000000 0000000000000000
0000000000000004
[ 452.604466] GPR08: 0000000000000000 0000000000000000 0000000000000000
0000000000000000
[ 452.604466] GPR12: 0000000000000000 00007fffb7e6b8e0 00000000000000a1
00007fffb67acec0
[ 452.604466] GPR16: 0000000164032ad0 00007fffb67aceb0 00007fffb76f6a90
0000000000000000
[ 452.604466] GPR20: 00007fffb6f21850 0000000000000000 00007fffb71062c0
0000000164034490
[ 452.604466] GPR24: 00007fffb6f2fea0 00007fffb67acea8 0000000164032b18
00007fffb7c45b32
[ 452.604466] GPR28: 00007fffb7c678e0 00007fffb67aceb8 0000000000000006
0000000164034490
[ 452.604510] NIP [00007fffb7534ab4] 0x7fffb7534ab4
[ 452.604513] LR [00007fffb7534ab4] 0x7fffb7534ab4
[ 452.604516] ---- interrupt: 3000
[ 452.604518]
[ 452.604601] Allocated by task 1856:
[ 452.604607] kasan_save_stack+0x34/0x64
[ 452.604614] kasan_save_track+0x2c/0x50
[ 452.604621] kasan_save_alloc_info+0x58/0x74
[ 452.604628] __kasan_kmalloc+0x12c/0x168
[ 452.604635] __kmalloc_cache_noprof+0x1d8/0x71c
[ 452.604643] tpmrm_open+0x88/0x168
[ 452.604649] chrdev_open+0x1f4/0x484
[ 452.604656] do_dentry_open+0x578/0x9cc
[ 452.604663] vfs_open+0x68/0x23c
[ 452.604670] do_open+0x514/0x74c
[ 452.604676] path_openat+0x16c/0x380
[ 452.604682] do_filp_open+0x104/0x230
[ 452.604689] do_sys_openat2+0xb8/0x154
[ 452.604696] sys_openat+0xcc/0x130
[ 452.604703] system_call_exception+0x1e0/0x460
[ 452.604710] system_call_vectored_common+0x15c/0x2ec
[ 452.604718]
[ 452.604722] Freed by task 1856:
[ 452.604726] kasan_save_stack+0x34/0x64
[ 452.604733] kasan_save_track+0x2c/0x50
[ 452.604739] __kasan_save_free_info+0x64/0x110
[ 452.604747] __kasan_slab_free+0xb0/0x10c
[ 452.604753] kfree+0x220/0x624
[ 452.604760] tpmrm_release+0x6c/0xa8
[ 452.604766] __fput+0x21c/0x60c
[ 452.604772] sys_close+0x74/0xd0
[ 452.604779] system_call_exception+0x1e0/0x460
[ 452.604786] system_call_vectored_common+0x15c/0x2ec
[ 452.604794]
[ 452.604797] The buggy address belongs to the object at c00000001c650000
[ 452.604797] which belongs to the cache kmalloc-8k of size 8192
[ 452.604806] The buggy address is located 0 bytes inside of
[ 452.604806] freed 8192-byte region [c00000001c650000, c00000001c652000)
[ 452.604815]
[ 452.604818] The buggy address belongs to the physical page:
[ 452.604824] page: refcount:0 mapcount:0 mapping:0000000000000000
index:0xc00000001c644000 pfn:0x1c60
[ 452.604833] head: order:3 mapcount:0 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[ 452.604840] flags:
0x3ffffe00000040(head|node=0|zone=0|lastcpupid=0x1fffff)
[ 452.604849] page_type: f5(slab)
[ 452.604856] raw: 003ffffe00000040 c000000007012300 5deadbeef0000122
0000000000000000
[ 452.604864] raw: c00000001c644000 000000008020001e 00000000f5000000
0000000000000000
[ 452.604872] head: 003ffffe00000040 c000000007012300 5deadbeef0000122
0000000000000000
[ 452.604879] head: c00000001c644000 000000008020001e 00000000f5000000
0000000000000000
[ 452.604887] head: 003ffffe00000003 c00c000000071801 00000000ffffffff
00000000ffffffff
[ 452.604894] head: ffffffffffffffff 0000000000000000 00000000ffffffff
0000000000000008
[ 452.604900] page dumped because: kasan: bad access detected
[ 452.604905]
[ 452.604908] Memory state around the buggy address:
[ 452.604914] c00000001c64ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc
[ 452.604920] c00000001c64ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc
[ 452.604927] >c00000001c650000: fa fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 452.604933] ^
[ 452.604937] c00000001c650080: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 452.604944] c00000001c650100: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 452.604950]
==================================================================
[ 452.604955] Disabling lock debugging due to kernel taint
[ 452.604961] Kernel attempted to read user page (770) - exploit
attempt? (uid: 0)
[ 452.604969] BUG: Kernel NULL pointer dereference on read at 0x00000770
[ 452.604975] Faulting instruction address: 0xc0000000002b2e0c
[ 452.604982] Oops: Kernel access of bad area, sig: 11 [#1]
[ 452.604987] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries
[ 452.604996] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6
nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct
nft_chain_nat nf_nat bonding nf_conntrack tls nf_defrag_ipv6
nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink sunrpc pseries_rng
vmx_crypto fuse ext4 crc16 mbcache jbd2 sd_mod sg ibmvscsi ibmveth
scsi_transport_srp pseries_wdt
[ 452.605073] CPU: 24 UID: 0 PID: 1856 Comm: python3 Kdump: loaded
Tainted: G B 6.17.0-next-20251003 #1 VOLUNTARY
[ 452.605084] Tainted: [B]=BAD_PAGE
[ 452.605089] Hardware name: IBM,9080-HEX Power11 (architected)
0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries
[ 452.605096] NIP: c0000000002b2e0c LR: c0000000002b2e08 CTR:
0000000000000000
[ 452.605103] REGS: c0000000c1867820 TRAP: 0300 Tainted: G B
(6.17.0-next-20251003)
[ 452.605110] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR:
28284420 XER: 0000000d
[ 452.605132] CFAR: c000000000807920 DAR: 0000000000000770 DSISR:
40000000 IRQMASK: 0
[ 452.605132] GPR00: c0000000002b2e08 c0000000c1867ac0 c00000000234a500
0000000000000001
[ 452.605132] GPR04: 0000000000000008 0000000000000000 c0000000002b2e08
0000000000000001
[ 452.605132] GPR08: 0000000000000020 0000000000000001 0000000000000001
a80e000000000000
[ 452.605132] GPR12: c00e0000009b1c8c c000000d0ddeb700 0000000000000000
0000000000000000
[ 452.605132] GPR16: 0000000000000000 0000000000000000 0000000000000000
0000000000000000
[ 452.605132] GPR20: 0000000000000008 0000000000000000 c000000008202f00
c00000007b9ff620
[ 452.605132] GPR24: c00000008a76cb20 c00000008a76cb40 c00000008a76cb08
c000000002201e80
[ 452.605132] GPR28: c000000061569248 0000000000000770 c00000008a76cb00
0000000000000768
[ 452.605227] NIP [c0000000002b2e0c] up_read+0x50/0x17c
[ 452.605237] LR [c0000000002b2e08] up_read+0x4c/0x17c
[ 452.605245] Call Trace:
[ 452.605249] [c0000000c1867ac0] [c0000000002b2e08] up_read+0x4c/0x17c
(unreliable)
[ 452.605261] [c0000000c1867b10] [c000000000f2ec28] tpmrm_release+0x88/0xa8
[ 452.605271] [c0000000c1867b40] [c0000000008b6a2c] __fput+0x21c/0x60c
[ 452.605280] [c0000000c1867bc0] [c0000000008ada70] sys_close+0x74/0xd0
[ 452.605291] [c0000000c1867bf0] [c000000000039270]
system_call_exception+0x1e0/0x460
[ 452.605301] [c0000000c1867e50] [c00000000000d05c]
system_call_vectored_common+0x15c/0x2ec
[ 452.605312] ---- interrupt: 3000 at 0x7fffb7534ab4
[ 452.605319] NIP: 00007fffb7534ab4 LR: 00007fffb7534ab4 CTR:
0000000000000000
[ 452.605326] REGS: c0000000c1867e80 TRAP: 3000 Tainted: G B
(6.17.0-next-20251003)
[ 452.605333] MSR: 800000000280f033
<SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44284422 XER: 00000000
[ 452.605362] IRQMASK: 0
[ 452.605362] GPR00: 0000000000000006 00007ffff65d76b0 00007fffb7c17700
0000000000000006
[ 452.605362] GPR04: 0000000000000000 0000000000000000 0000000000000000
0000000000000004
[ 452.605362] GPR08: 0000000000000000 0000000000000000 0000000000000000
0000000000000000
[ 452.605362] GPR12: 0000000000000000 00007fffb7e6b8e0 00000000000000a1
00007fffb67acec0
[ 452.605362] GPR16: 0000000164032ad0 00007fffb67aceb0 00007fffb76f6a90
0000000000000000
[ 452.605362] GPR20: 00007fffb6f21850 0000000000000000 00007fffb71062c0
0000000164034490
[ 452.605362] GPR24: 00007fffb6f2fea0 00007fffb67acea8 0000000164032b18
00007fffb7c45b32
[ 452.605362] GPR28: 00007fffb7c678e0 00007fffb67aceb8 0000000000000006
0000000164034490
[ 452.605450] NIP [00007fffb7534ab4] 0x7fffb7534ab4
[ 452.605456] LR [00007fffb7534ab4] 0x7fffb7534ab4
[ 452.605462] ---- interrupt: 3000
[ 452.605467] Code: fbc1fff0 7c7f1b78 f8010010 f821ffb1 e92d0c78
f9210028 39200000 3ba30008 38800008 7fa3eb78 48554af5 60000000
<ebdf0008> eb8d0908 7bc90764 fbc10020
[ 452.605501] ---[ end trace 0000000000000000 ]---
[ 452.613685] pstore: backend (nvram) writing error (-1)
[ 452.613691]
If you happen to fix this, please add below tag.
Reported-by: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>
Regards,
Venkat.
Powered by blists - more mailing lists