ereshetova
commented
1 year ago Likely related one:
BUG: KASAN: null-ptr-deref in swiotlb_bounce (kernel/dma/swiotlb.c:580) Read of size 5120 at addr 0000000000000000 by task sh/79
CPU: 0 PID: 79 Comm: sh Not tainted 6.0.0-rc2-g1d588de205f8 #1 Call Trace:
dump_stack_lvl (arch/x86/include/asm/irqflags.h:137 lib/dump_stack.c:107) print_report.cold (mm/kasan/report.c:445) ? swiotlb_bounce (kernel/dma/swiotlb.c:580) kasan_report (mm/kasan/report.c:504) ? swiotlb_bounce (kernel/dma/swiotlb.c:580) kasan_check_range (mm/kasan/generic.c:190) memcpy (mm/kasan/shadow.c:65) swiotlb_bounce (kernel/dma/swiotlb.c:580) swiotlb_tbl_map_single (kernel/dma/swiotlb.c:773) ? is_insn_slot_addr (kernel/kprobes.c:312) swiotlb_map (kernel/dma/swiotlb.c:872) ? tdx_fuzz (arch/x86/coco/tdx/kafl-agent.c:528) ? swiotlb_sync_single_for_cpu (kernel/dma/swiotlb.c:864) ? insn_get_addr_ref (arch/x86/lib/insn-eval.c:1420 arch/x86/lib/insn-eval.c:1459) ? insn_get_sib (arch/x86/lib/insn.c:422) dma_map_page_attrs (kernel/dma/direct.h:94 kernel/dma/mapping.c:156) ? tdx_enc_status_changed (arch/x86/coco/tdx/tdx.c:574) ? memset (mm/kasan/shadow.c:48) ? dma_unmap_resource (kernel/dma/mapping.c:145) ? memcpy (mm/kasan/shadow.c:70) vring_map_one_sg (drivers/virtio/virtio_ring.c:367) ? handle_io (arch/x86/coco/tdx/tdx.c:597) virtqueue_add_split (drivers/virtio/virtio_ring.c:383 drivers/virtio/virtio_ring.c:594) virtqueue_add (drivers/virtio/virtio_ring.c:2089) ? vring_unmap_one_split (drivers/virtio/virtio_ring.c:455) ? tdx_fuzz (arch/x86/coco/tdx/kafl-agent.c:528) ? detach_buf_split (drivers/virtio/virtio_ring.c:743) virtqueue_add_inbuf (drivers/virtio/virtio_ring.c:2167) ? virtqueue_add_outbuf (drivers/virtio/virtio_ring.c:2167) ? sg_init_one (include/linux/scatterlist.h:235 include/linux/scatterlist.h:356 lib/scatterlist.c:127 lib/scatterlist.c:140) add_inbuf (drivers/char/virtio_console.c:500) ? port_has_data (drivers/char/virtio_console.c:493) ? msi_get_virq (kernel/irq/msi.c:345) discard_port_data (drivers/char/virtio_console.c:521) ? virtio_pci_restore (include/linux/device.h:762 include/linux/pci.h:1957 drivers/virtio/virtio_pci_common.c:469) remove_port_data (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 include/linux/spinlock.h:399 drivers/char/virtio_console.c:1499) virtcons_freeze (drivers/char/virtio_console.c:2176 (discriminator 3)) virtio_device_freeze (drivers/virtio/virtio.c:510) virtio_pci_freeze (drivers/virtio/virtio_pci_common.c:474) pci_pm_suspend (drivers/pci/pci-driver.c:811) ? pci_pm_freeze (drivers/pci/pci-driver.c:773) dpm_run_callback (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/power.h:226 drivers/base/power/main.c:487) ? suspend_report_result (drivers/base/power/main.c:475) ? dev_pm_disarm_wake_irq (drivers/base/power/main.c:346) device_suspend (drivers/base/power/main.c:1704) ? async_suspend_late (drivers/base/power/main.c:1607) ? mutex_unlock_slowpath (kernel/locking/mutex.c:538) ? kasan_check_write (mm/kasan/shadow.c:38) dpm_suspend (drivers/base/power/main.c:1777) ? pci_pm_resume (drivers/pci/pci-driver.c:704) ? dpm_suspend_end (drivers/base/power/main.c:1755) ? mutex_lock_slowpath (kernel/locking/mutex.c:282) dpm_suspend_start (drivers/base/power/main.c:1957) suspend_devices_and_enter (kernel/power/suspend.c:494) ? swsusp_check.cold (kernel/printk/printk.c:2291) ? arch_suspend_enable_irqs+0x10/0x10 ? try_to_freeze_tasks.cold (kernel/power/process.c:110) pm_suspend.cold (kernel/power/suspend.c:585 kernel/power/suspend.c:612) state_store (kernel/power/main.c:644) ? kobj_attr_show (lib/kobject.c:823) kobj_attr_store (lib/kobject.c:826) ? kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) sysfs_kf_write (fs/sysfs/file.c:137) ? kasan_check_write (mm/kasan/shadow.c:38) kernfs_fop_write_iter (fs/kernfs/file.c:358) vfs_write (fs/read_write.c:492 fs/read_write.c:578) ? vfs_read (fs/read_write.c:559) ksys_write (fs/read_write.c:631) ? __ia32_sys_read (fs/read_write.c:621) ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:376) __x64_sys_write (fs/read_write.c:640) ? syscall_exit_to_user_mode (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 arch/x86/include/asm/nospec-branch.h:384 arch/x86/include/asm/entry-common.h:94 kernel/entry/common.c:133 kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x49a257 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
All code
0: 64 89 02 mov %eax,%fs:(%rdx)
3: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
a: eb bb jmp 0xffffffffffffffc7
c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
13: f3 0f 1e fa endbr64
17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax
1e: 00
1f: 85 c0 test %eax,%eax
21: 75 10 jne 0x33
23: b8 01 00 00 00 mov $0x1,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 51 ja 0x83
32: c3 retq
33: 48 83 ec 28 sub $0x28,%rsp
37: 48 89 54 24 18 mov %rdx,0x18(%rsp)
3c: 48 rex.W
3d: 89 .byte 0x89
3e: 74 24 je 0x64
Code starting with the faulting instruction
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 51 ja 0x59
8: c3 retq
9: 48 83 ec 28 sub $0x28,%rsp
d: 48 89 54 24 18 mov %rdx,0x18(%rsp)
12: 48 rex.W
13: 89 .byte 0x89
14: 74 24 je 0x3a
RSP: 002b:00007ffdf226f738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000049a257
RDX: 0000000000000004 RSI: 0000000000618e90 RDI: 0000000000000001
RBP: 0000000000618e90 R08: 0000000000618e90 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 00000000006168a0 R14: 0000000000609c01 R15: 00007ffdf226f7a0
Disabling lock debugging due to kernel taint
Found on kernel: 6.0.0-rc2 via US_RESUME_SUSPEND harness.
BUG: KASAN: slab-out-of-bounds in swiotlb_bounce (kernel/dma/swiotlb.c:580) Read of size 4096 at addr ffff88802c5c0200 by task sh/79 CPU: 0 PID: 79 Comm: sh Not tainted 6.0.0-rc2-g1d588de205f8
Call Trace:
TASK dump_stack_lvl (arch/x86/include/asm/irqflags.h:137 lib/dump_stack.c:107) print_report.cold (mm/kasan/report.c:325 mm/kasan/report.c:440) ? swiotlb_bounce (kernel/dma/swiotlb.c:580) kasan_report (mm/kasan/report.c:504) ? swiotlb_bounce (kernel/dma/swiotlb.c:580) kasan_check_range (mm/kasan/generic.c:190) memcpy (mm/kasan/shadow.c:65) swiotlb_bounce (kernel/dma/swiotlb.c:580) swiotlb_tbl_map_single (kernel/dma/swiotlb.c:773) ? is_insn_slot_addr (kernel/kprobes.c:312) swiotlb_map (kernel/dma/swiotlb.c:872) ? tdx_fuzz (arch/x86/coco/tdx/kafl-agent.c:528) ? swiotlb_sync_single_for_cpu (kernel/dma/swiotlb.c:864) ? insn_get_addr_ref (arch/x86/lib/insn-eval.c:1420 arch/x86/lib/insn-eval.c:1459) ? insn_get_sib (arch/x86/lib/insn.c:422) dma_map_page_attrs (kernel/dma/direct.h:94 kernel/dma/mapping.c:156) ? tdx_enc_status_changed (arch/x86/coco/tdx/tdx.c:574) ? memset (mm/kasan/shadow.c:48) ? dma_unmap_resource (kernel/dma/mapping.c:145) ? memcpy (mm/kasan/shadow.c:70) vring_map_one_sg (drivers/virtio/virtio_ring.c:367) ? handle_io (arch/x86/coco/tdx/tdx.c:597) virtqueue_add_split (drivers/virtio/virtio_ring.c:383 drivers/virtio/virtio_ring.c:594) virtqueue_add (drivers/virtio/virtio_ring.c:2089) ? vring_unmap_one_split (drivers/virtio/virtio_ring.c:455) ? tdx_fuzz (arch/x86/coco/tdx/kafl-agent.c:528) ? detach_buf_split (drivers/virtio/virtio_ring.c:743) virtqueue_add_inbuf (drivers/virtio/virtio_ring.c:2167) ? virtqueue_add_outbuf (drivers/virtio/virtio_ring.c:2167) ? sg_init_one (include/linux/scatterlist.h:235 include/linux/scatterlist.h:356 lib/scatterlist.c:127 lib/scatterlist.c:140) add_inbuf (drivers/char/virtio_console.c:500) ? port_has_data (drivers/char/virtio_console.c:493) ? msi_get_virq (kernel/irq/msi.c:345) discard_port_data (drivers/char/virtio_console.c:521) ? virtio_pci_restore (include/linux/device.h:762 include/linux/pci.h:1957 drivers/virtio/virtio_pci_common.c:469) remove_port_data (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 include/linux/spinlock.h:399 drivers/char/virtio_console.c:1499) virtcons_freeze (drivers/char/virtio_console.c:2176 (discriminator 3)) virtio_device_freeze (drivers/virtio/virtio.c:510) virtio_pci_freeze (drivers/virtio/virtio_pci_common.c:474) pci_pm_suspend (drivers/pci/pci-driver.c:811) ? pci_pm_freeze (drivers/pci/pci-driver.c:773) dpm_run_callback (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/power.h:226 drivers/base/power/main.c:487) ? suspend_report_result (drivers/base/power/main.c:475) ? dev_pm_disarm_wake_irq (drivers/base/power/main.c:346) device_suspend (drivers/base/power/main.c:1704) ? async_suspend_late (drivers/base/power/main.c:1607) ? mutex_unlock_slowpath (kernel/locking/mutex.c:538) ? kasan_check_write (mm/kasan/shadow.c:38) dpm_suspend (drivers/base/power/main.c:1777) ? pci_pm_resume (drivers/pci/pci-driver.c:704) ? dpm_suspend_end (drivers/base/power/main.c:1755) ? mutex_lock_slowpath (kernel/locking/mutex.c:282) dpm_suspend_start (drivers/base/power/main.c:1957) suspend_devices_and_enter (kernel/power/suspend.c:494) ? swsusp_check.cold (kernel/printk/printk.c:2291) ? arch_suspend_enable_irqs+0x10/0x10 ? try_to_freeze_tasks.cold (kernel/power/process.c:110) pm_suspend.cold (kernel/power/suspend.c:585 kernel/power/suspend.c:612) state_store (kernel/power/main.c:644) ? kobj_attr_show (lib/kobject.c:823) kobj_attr_store (lib/kobject.c:826) ? kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) sysfs_kf_write (fs/sysfs/file.c:137) ? kasan_check_write (mm/kasan/shadow.c:38) kernfs_fop_write_iter (fs/kernfs/file.c:358) vfs_write (fs/read_write.c:492 fs/read_write.c:578) ? vfs_read (fs/read_write.c:559) ksys_write (fs/read_write.c:631) ? __ia32_sys_read (fs/read_write.c:621) ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:376) __x64_sys_write (fs/read_write.c:640) ? syscall_exit_to_user_mode (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 arch/x86/include/asm/nospec-branch.h:384 arch/x86/include/asm/entry-common.h:94 kernel/entry/common.c:133 kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x49a257 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
All code 0: 64 89 02 mov %eax,%fs:(%rdx) 3: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax a: eb bb jmp 0xffffffffffffffc7 c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 retq
33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64
Code starting with the faulting instruction
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 retq
9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a RSP: 002b:00007ffdf226f738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000049a257 RDX: 0000000000000004 RSI: 0000000000618e90 RDI: 0000000000000001 RBP: 0000000000618e90 R08: 0000000000618e90 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006168a0 R14: 0000000000609c01 R15: 00007ffdf226f7a0
Allocated by task 1: kasan_save_stack (mm/kasan/common.c:39) __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) kmem_cache_alloc_trace (mm/slub.c:3286) kobject_uevent_env (lib/kobject_uevent.c:525) kobject_uevent (lib/kobject_uevent.c:643) driver_bound (drivers/base/dd.c:391) really_probe (drivers/base/dd.c:665) driver_probe_device (drivers/base/dd.c:753) driver_probe_device (drivers/base/dd.c:783) driver_attach (drivers/base/dd.c:1156) bus_for_each_dev (drivers/base/bus.c:300) driver_attach (drivers/base/dd.c:1173) bus_add_driver (drivers/base/bus.c:618) driver_register (drivers/base/driver.c:240) register_virtio_driver (drivers/virtio/virtio.c:360) virtio_console_init (drivers/char/virtio_console.c:2268) do_one_initcall (init/main.c:1421) kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768) kernel_init (init/main.c:1654) ret_from_fork (arch/x86/entry/entry_64.S:312)
Freed by task 1: kasan_save_stack (mm/kasan/common.c:39) kasan_set_track (mm/kasan/common.c:45) kasan_set_free_info (mm/kasan/generic.c:372) __kasan_slab_free (mm/kasan/common.c:369 mm/kasan/common.c:375) kfree (mm/slub.c:1780 mm/slub.c:3534 mm/slub.c:4562) kobject_uevent_env (lib/kobject_uevent.c:627) kobject_uevent (lib/kobject_uevent.c:643) driver_bound (drivers/base/dd.c:391) really_probe (drivers/base/dd.c:665) driver_probe_device (drivers/base/dd.c:753) driver_probe_device (drivers/base/dd.c:783) driver_attach (drivers/base/dd.c:1156) bus_for_each_dev (drivers/base/bus.c:300) driver_attach (drivers/base/dd.c:1173) bus_add_driver (drivers/base/bus.c:618) driver_register (drivers/base/driver.c:240) register_virtio_driver (drivers/virtio/virtio.c:360) virtio_console_init (drivers/char/virtio_console.c:2268) do_one_initcall (init/main.c:1421) kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768) kernel_init (init/main.c:1654) ret_from_fork (arch/x86/entry/entry_64.S:312)
The buggy address belongs to the object at ffff88802c5c1000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3584 bytes to the left of 4096-byte region [ffff88802c5c1000, ffff88802c5c2000)
The buggy address belongs to the physical page: page:ffffea0000b17000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2c5c0 head:ffffea0000b17000 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 ffffea0000b17208 ffffea0000b16e08 ffff888005c424c0 raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff88802c5c0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802c5c0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Disabling lock debugging due to kernel taint