Re: [thermal] 24bc2fa031: BUG: KASAN: slab-out-of-bounds in thermal_zone_device_register+0x749/0x10a0 at addr ffff880000134140

[Zhang Rui <rui.zhang@intel.com>]

[-- Attachment #1: Type: text/plain, Size: 15268 bytes --]

On 四, 2016-06-16 at 09:27 +0800, kernel test robot wrote:
> FYI, we noticed the following commit:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
> master
> commit 24bc2fa031f094c05c017a862732924cb46ad2c1 ("thermal: core: move
> trips attributes to tz->device.groups")
> 
this should be fixed in the latest thermal -next branch, by the
following refreshed patch,

thanks,
rui

>From e1e917e790b70b88bd418545a29b1eefa01a5566 Mon Sep 17 00:00:00 2001
From: Eduardo Valentin <edubezval@gmail.com>
Date: Mon, 30 May 2016 23:18:21 -0700
Subject: [PATCH] thermal: core: move trips attributes to tz->device.groups

Finally, move the last thermal zone sysfs attributes to
tz->device.groups: trips attributes. This requires adding a
attribute_group to thermal_zone_device, creating it dynamically, and
then setting all trips attributes in it. The trips attribute is then
added to the tz->device.groups.

As the removal of all attributes are handled by device core, the device
remove calls are not needed anymore.

Cc: Zhang Rui <rui.zhang@intel.com>
Cc: linux-pm(a)vger.kernel.org
Cc: linux-kernel(a)vger.kernel.org
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
---
 drivers/thermal/thermal_core.c | 78 ++++++++++++++++++++++--------------------
 include/linux/thermal.h        |  2 ++
 2 files changed, 42 insertions(+), 38 deletions(-)

diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 657ba02..9926c89 100644
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -1188,8 +1188,9 @@ static const struct attribute_group *thermal_zone_attribute_groups[] = {
  */
 static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
 {
-	int indx;
 	int size = sizeof(struct thermal_attr) * tz->trips;
+	struct attribute **attrs;
+	int indx;
 
 	tz->trip_type_attrs = kzalloc(size, GFP_KERNEL);
 	if (!tz->trip_type_attrs)
@@ -1210,6 +1211,15 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
 		}
 	}
 
+	attrs = kzalloc(sizeof(*attrs) * tz->trips * 3 + 1, GFP_KERNEL);
+	if (!attrs) {
+		kfree(tz->trip_type_attrs);
+		kfree(tz->trip_temp_attrs);
+		if (tz->ops->get_trip_hyst)
+			kfree(tz->trip_hyst_attrs);
+		return -ENOMEM;
+	}
+
 	for (indx = 0; indx < tz->trips; indx++) {
 		/* create trip type attribute */
 		snprintf(tz->trip_type_attrs[indx].name, THERMAL_NAME_LENGTH,
@@ -1220,9 +1230,7 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
 						tz->trip_type_attrs[indx].name;
 		tz->trip_type_attrs[indx].attr.attr.mode = S_IRUGO;
 		tz->trip_type_attrs[indx].attr.show = trip_point_type_show;
-
-		device_create_file(&tz->device,
-				   &tz->trip_type_attrs[indx].attr);
+		attrs[indx] = &tz->trip_type_attrs[indx].attr.attr;
 
 		/* create trip temp attribute */
 		snprintf(tz->trip_temp_attrs[indx].name, THERMAL_NAME_LENGTH,
@@ -1239,9 +1247,7 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
 			tz->trip_temp_attrs[indx].attr.store =
 							trip_point_temp_store;
 		}
-
-		device_create_file(&tz->device,
-				   &tz->trip_temp_attrs[indx].attr);
+		attrs[indx + tz->trips] = &tz->trip_temp_attrs[indx].attr.attr;
 
 		/* create Optional trip hyst attribute */
 		if (!tz->ops->get_trip_hyst)
@@ -1259,45 +1265,39 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)
 			tz->trip_hyst_attrs[indx].attr.store =
 					trip_point_hyst_store;
 		}
-
-		device_create_file(&tz->device,
-				   &tz->trip_hyst_attrs[indx].attr);
+		attrs[indx + tz->trips * 2] =
+					&tz->trip_hyst_attrs[indx].attr.attr;
 	}
-	return 0;
-}
+	attrs[tz->trips * 3] = NULL;
 
-static void remove_trip_attrs(struct thermal_zone_device *tz)
-{
-	int indx;
+	tz->trips_attribute_group.attrs = attrs;
 
-	for (indx = 0; indx < tz->trips; indx++) {
-		device_remove_file(&tz->device,
-				   &tz->trip_type_attrs[indx].attr);
-		device_remove_file(&tz->device,
-				   &tz->trip_temp_attrs[indx].attr);
-		if (tz->ops->get_trip_hyst)
-			device_remove_file(&tz->device,
-					   &tz->trip_hyst_attrs[indx].attr);
-	}
-	kfree(tz->trip_type_attrs);
-	kfree(tz->trip_temp_attrs);
-	kfree(tz->trip_hyst_attrs);
+	return 0;
 }
 
-static int thermal_zone_create_device_groups(struct thermal_zone_device *tz)
+static int thermal_zone_create_device_groups(struct thermal_zone_device *tz,
+					     int mask)
 {
 	const struct attribute_group **groups;
-	int i, size;
+	int i, size, result;
 
-	size = ARRAY_SIZE(thermal_zone_attribute_groups) + 1;
+	/* we need one extra for trips and the NULL to terminate the array */
+	size = ARRAY_SIZE(thermal_zone_attribute_groups) + 2;
 	/* This also takes care of API requirement to be NULL terminated */
 	groups = kcalloc(size, sizeof(*groups), GFP_KERNEL);
 	if (!groups)
 		return -ENOMEM;
 
-	for (i = 0; i < size - 1; i++)
+	for (i = 0; i < size - 2; i++)
 		groups[i] = thermal_zone_attribute_groups[i];
 
+	if (tz->trips) {
+		result = create_trip_attrs(tz, mask);
+		if (result)
+			return result;
+		groups[size - 2] = &tz->trips_attribute_group;
+	}
+
 	tz->device.groups = groups;
 
 	return 0;
@@ -1934,8 +1934,12 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
 	tz->passive_delay = passive_delay;
 	tz->polling_delay = polling_delay;
 
+	/* sys I/F */
 	/* Add nodes that are always present via .groups */
-	thermal_zone_create_device_groups(tz);
+	result = thermal_zone_create_device_groups(tz, mask);
+	if (result)
+		goto unregister;
+
 	/* A new thermal zone needs to be updated anyway. */
 	atomic_set(&tz->need_update, 1);
 
@@ -1947,11 +1951,6 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
 		return ERR_PTR(result);
 	}
 
-	/* sys I/F */
-	result = create_trip_attrs(tz, mask);
-	if (result)
-		goto unregister;
-
 	for (count = 0; count < trips; count++) {
 		if (tz->ops->get_trip_type(tz, count, &trip_type))
 			set_bit(count, &tz->trips_disabled);
@@ -2056,7 +2055,10 @@ void thermal_zone_device_unregister(struct thermal_zone_device *tz)
 
 	thermal_zone_device_set_polling(tz, 0);
 
-	remove_trip_attrs(tz);
+	kfree(tz->trip_type_attrs);
+	kfree(tz->trip_temp_attrs);
+	kfree(tz->trip_hyst_attrs);
+	kfree(tz->trips_attribute_group.attrs);
 	thermal_set_governor(tz, NULL);
 
 	thermal_remove_hwmon_sysfs(tz);
diff --git a/include/linux/thermal.h b/include/linux/thermal.h
index ee517be..580809c 100644
--- a/include/linux/thermal.h
+++ b/include/linux/thermal.h
@@ -28,6 +28,7 @@
 #include <linux/of.h>
 #include <linux/idr.h>
 #include <linux/device.h>
+#include <linux/sysfs.h>
 #include <linux/workqueue.h>
 #include <uapi/linux/thermal.h>
 
@@ -187,6 +188,7 @@ struct thermal_zone_device {
 	int id;
 	char type[THERMAL_NAME_LENGTH];
 	struct device device;
+	struct attribute_group trips_attribute_group;
 	struct thermal_attr *trip_temp_attrs;
 	struct thermal_attr *trip_type_attrs;
 	struct thermal_attr *trip_hyst_attrs;
-- 
2.7.4


> 
> on test machine: vm-lkp-wsx03-quantal-x86_64: 2 threads qemu-system-
> x86_64 -enable-kvm -cpu Haswell,+smep,+smap with 360M memory
> 
> caused below changes:
> 
> 
> +------------------------------------------------------------------
> ----+------------+------------+
> > 
> >                                                                    
> >   | 79f34853ba | 24bc2fa031 |
> +------------------------------------------------------------------
> ----+------------+------------+
> > 
> > boot_successes                                                     
> >   | 2          | 0          |
> > boot_failures                                                      
> >   | 6          | 8          |
> > IP-Config:Auto-
> > configuration_of_network_failed                       |
> > 6          | 4          |
> > BUG:KASAN:slab-out-of-
> > bounds_in_thermal_zone_device_register_at_addr | 0          |
> > 8          |
> > BUG:KASAN:slab-out-of-
> > bounds_in_internal_create_group_at_addr        | 0          |
> > 8          |
> > backtrace:power_supply_register                                    
> >   | 0          | 8          |
> > backtrace:test_power_init                                          
> >   | 0          | 8          |
> > backtrace:kernel_init_freeable                                     
> >   | 0          | 8          |
> +------------------------------------------------------------------
> ----+------------+------------+
> 
> 
> 
> [    7.103767] __power_supply_register: Expected proper parent device
> for 'test_ac'
> [    7.105699] __power_supply_register: Expected proper parent device
> for 'test_battery'
> [    7.108318]
> ==================================================================
> [    7.109325] BUG: KASAN: slab-out-of-bounds in
> thermal_zone_device_register+0x749/0x10a0 at addr ffff880000134140
> [    7.110709] Write of size 8 by task swapper/1
> [    7.111312] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-rc3-
> 00014-g24bc2fa0 #1
> [    7.112309] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS Debian-1.8.2-1 04/01/2014
> [    7.113506]  ffff880000134160 ffff880010897b58 ffffffff817356d9
> ffff880010897bd8
> [    7.114588]  ffffffff811ebffc 0000000000000000 0000000000000000
> 0000000000000297
> [    7.115652]  ffffffff811eadf5 ffff88000013415f 1ffff1000002682c
> ffff880010897bd8
> [    7.116720] Call Trace:
> [    7.117080]  [<ffffffff817356d9>] dump_stack+0x19/0x20
> [    7.117777]  [<ffffffff811ebffc>] kasan_report_error+0x1ec/0x5a0
> [    7.118598]  [<ffffffff811eadf5>] ?
> kasan_unpoison_shadow+0x35/0x50
> [    7.119454]  [<ffffffff811eb4a9>] ? kasan_kmalloc+0xd9/0x100
> [    7.120239]  [<ffffffff811ec3e3>] kasan_report+0x33/0x40
> [    7.120967]  [<ffffffff81d44e39>] ?
> thermal_zone_device_register+0x749/0x10a0
> [    7.121949]  [<ffffffff811ebc81>] __asan_store8+0x61/0x70
> [    7.122699]  [<ffffffff81d44e39>]
> thermal_zone_device_register+0x749/0x10a0
> [    7.123646]  [<ffffffff81d446f0>] ?
> thermal_notify_framework+0x10/0x10
> [    7.124545]  [<ffffffff818f0640>] ? dev_warn+0xe0/0xe0
> [    7.125259]  [<ffffffff821c5d49>] ? _raw_spin_unlock_irq+0x9/0x20
> [    7.126104]  [<ffffffff8190959c>] ?
> device_wakeup_enable+0xbc/0x110
> [    7.126956]  [<ffffffff81ca1179>]
> __power_supply_register+0x5c9/0x700
> [    7.127840]  [<ffffffff81ca185e>] power_supply_register+0xe/0x10
> [    7.128663]  [<ffffffff83269716>] test_power_init+0x35/0xeb
> [    7.129433]  [<ffffffff832696e1>] ?
> wm8350_power_driver_init+0x14/0x14
> [    7.130328]  [<ffffffff832222cd>] do_one_initcall+0xef/0x1a1
> [    7.131111]  [<ffffffff83221aae>] ? repair_env_string+0x2f/0x73
> [    7.131912]  [<ffffffff832221de>] ? start_kernel+0x447/0x447
> [    7.132689]  [<ffffffff810fca00>] ? parameq+0xa0/0xa0
> [    7.133385]  [<ffffffff83221a7f>] ? set_debug_rodata+0x12/0x12
> [    7.134192]  [<ffffffff83222516>] kernel_init_freeable+0x197/0x228
> [    7.135042]  [<ffffffff821b4d2e>] kernel_init+0xe/0x110
> [    7.135751]  [<ffffffff821c629f>] ret_from_fork+0x1f/0x40
> [    7.136488]  [<ffffffff821b4d20>] ? rest_init+0x90/0x90
> [    7.137207] Object at ffff880000134140, in cache kmalloc-32
> [    7.137952] Object allocated with size 1 bytes.
> [    7.138572] Allocation:
> [    7.138909] PID = 1
> [    7.139216]  [<ffffffff81032e55>] save_stack_trace+0x25/0x40
> [    7.139993]  [<ffffffff811ead36>] save_stack+0x46/0xd0
> [    7.140714]  [<ffffffff811eb4a9>] kasan_kmalloc+0xd9/0x100
> [    7.141479]  [<ffffffff811e92a6>] __kmalloc+0xe6/0x1d0
> [    7.142201]  [<ffffffff81d44a9c>]
> thermal_zone_device_register+0x3ac/0x10a0
> [    7.143162]  [<ffffffff81ca1179>]
> __power_supply_register+0x5c9/0x700
> [    7.144076]  [<ffffffff81ca185e>] power_supply_register+0xe/0x10
> [    7.144913]  [<ffffffff83269716>] test_power_init+0x35/0xeb
> [    7.145698]  [<ffffffff832222cd>] do_one_initcall+0xef/0x1a1
> [    7.146487]  [<ffffffff83222516>] kernel_init_freeable+0x197/0x228
> [    7.147359]  [<ffffffff821b4d2e>] kernel_init+0xe/0x110
> [    7.148105]  [<ffffffff821c629f>] ret_from_fork+0x1f/0x40
> [    7.148860] Memory state around the buggy address:
> [    7.149548]  ffff880000134000: 00 fc fc fc fc fc fc fc 00 03 fc fc
> fc fc fc fc
> [    7.150578]  ffff880000134080: 06 fc fc fc fc fc fc fc 03 fc fc fc
> fc fc fc fc
> 
> 
> FYI, raw QEMU command line is:
> 
> 	qemu-system-x86_64 -enable-kvm -cpu Haswell,+smep,+smap -kernel
> /pkg/linux/x86_64-randconfig-s1-06151451/gcc-
> 6/24bc2fa031f094c05c017a862732924cb46ad2c1/vmlinuz-4.7.0-rc3-00014-
> g24bc2fa0 -append 'root=/dev/ram0 user=lkp job=/lkp/scheduled/vm-lkp-
> wsx03-quantal-x86_64-8/bisect_boot-1-quantal-core-x86_64.cgz-x86_64-
> randconfig-s1-06151451-24bc2fa031f094c05c017a862732924cb46ad2c1-
> 20160615-110339-ip9qk6-0.yaml~ ARCH=x86_64 kconfig=x86_64-randconfig-
> s1-06151451 branch=linux-devel/devel-spot-201606151338
> commit=24bc2fa031f094c05c017a862732924cb46ad2c1
> BOOT_IMAGE=/pkg/linux/x86_64-randconfig-s1-06151451/gcc-
> 6/24bc2fa031f094c05c017a862732924cb46ad2c1/vmlinuz-4.7.0-rc3-00014-
> g24bc2fa0 max_uptime=600 RESULT_ROOT=/result/boot/1/vm-lkp-wsx03-
> quantal-x86_64/quantal-core-x86_64.cgz/x86_64-randconfig-s1-
> 06151451/gcc-6/24bc2fa031f094c05c017a862732924cb46ad2c1/0
> LKP_SERVER=inn earlyprintk=ttyS0,115200 systemd.log_level=err debug
> apic=debug sysrq_always_enabled rcupdate.rcu_cpu_stall_timeout=100
> panic=-1 softlockup_panic=1 nmi_watchdog=panic oops=panic
> load_ramdisk=2 prompt_ramdisk=0 console=ttyS0,115200 console=tty0
> vga=normal rw ip=::::vm-lkp-wsx03-quantal-x86_64-8::dhcp
> drbd.minor_count=8'  -initrd /fs/sdc1/initrd-vm-lkp-wsx03-quantal-
> x86_64-8 -m 360 -smp 2 -device e1000,netdev=net0 -netdev user,id=net0
> -boot order=nc -no-reboot -watchdog i6300esb -rtc base=localtime
> -pidfile /dev/shm/kboot/pid-vm-lkp-wsx03-quantal-x86_64-8 -serial
> file:/dev/shm/kboot/serial-vm-lkp-wsx03-quantal-x86_64-8 -daemonize
> -display none -monitor null 
> 
> 
> 
> 
> 
> Thanks,
> Xiaolong