From: Erhard Furtner <erhard_f@mailbox.org>
To: Guenter Roeck <linux@roeck-us.net>
Cc: linux-hwmon@vger.kernel.org
Subject: Re: BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 [nct6775_core] (kernel 6.8-rc5, amd64)
Date: Wed, 21 Feb 2024 01:41:52 +0100 [thread overview]
Message-ID: <20240221014152.53b995d4@yea> (raw)
In-Reply-To: <324097c7-05c3-47b5-b0ca-3593ce25ebbf@roeck-us.net>
On Tue, 20 Feb 2024 07:45:18 -0800
Guenter Roeck <linux@roeck-us.net> wrote:
> Would it be possible to run the stack trace through scripts/decode/stacktrace.sh ?
> I am having trouble associating the backtrace with the actual source.
>
> Also, did you by any chance try the same configuration on the same system with
> a pre-6.8 kernel ? The source code locations I did find (unless they are completely
> off) point to code that wasn't changed on after v6.7, so it would help to understand
> if this is a new problem or one that is exposed by your board.
Hi Günter!
I tried v6.6 just now and got the issue there too.
./scripts/decode_stacktrace.sh /boot/vmlinuz-6.8.0-rc5-Zen3 < ~ef/dmesg_68-rc5_zen3_v01
gives me:
[...]
nct6775: Found NCT6798D or compatible chip at 0x2e:0x290
BTRFS info (device nvme0n1p7: state M): use lzo compression, level 0
loop: module loaded
==================================================================
BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core
systemd-journald[867]: Collecting audit messages is disabled.
Read of size 2 at addr ffffffffc0863104 by task systemd-modules/868
CPU: 23 PID: 868 Comm: systemd-modules Not tainted 6.8.0-rc5-Zen3 #3
Hardware name: To Be Filled By O.E.M. B550M Pro4/B550M Pro4, BIOS P3.40 01/18/2024
systemd[1]: Mounted dev-hugepages.mount.
Call Trace:
<TASK>
dump_stack_lvl+0x37/0x52
print_report+0x17e/0x505
? nct6775_reg_read (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:352) nct6775
? srso_alias_return_thunk+0x5/0xfbef5
? nct6775_probe+0x5654/0x6fe9 nct6775_core
kasan_report+0xb9/0xe4
? nct6775_probe+0x5654/0x6fe9 nct6775_core
nct6775_probe+0x5654/0x6fe9 nct6775_core
? show_tsi_temp+0xa7/0xa7 nct6775_core
? srso_alias_return_thunk+0x5/0xfbef5
? add_dr+0x77/0x11f
? srso_alias_return_thunk+0x5/0xfbef5
? do_raw_spin_unlock+0x5d/0x1b6
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? nct6775_platform_probe (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:974) nct6775
platform_probe+0xe0/0x153
really_probe+0x28a/0x57b
? driver_probe_device+0xc7/0xc7
__driver_probe_device+0x20b/0x265
? driver_probe_device+0xc7/0xc7
driver_probe_device+0x45/0xc7
__device_attach_driver+0x15e/0x1b4
bus_for_each_drv+0x12c/0x15c
? __cond_resched+0x58/0x63
? bus_rescan_devices+0x14/0x14
? _raw_spin_unlock_irqrestore+0xd/0x1e
? srso_alias_return_thunk+0x5/0xfbef5
__device_attach+0x19a/0x241
? device_driver_attach+0x95/0x95
? do_raw_spin_unlock+0x5d/0x1b6
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
bus_probe_device+0x7d/0x14e
device_add+0x5e9/0xf93
? get_device_parent+0x336/0x336
? srso_alias_return_thunk+0x5/0xfbef5
? __insert_resource+0x2d/0x302
platform_device_add+0x33b/0x456
sensors_nct6775_platform_init+0x87b/0x1000 nct6775
? 0xffffffffc0887000
? superio_wmi_exit (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:205) nct6775
? superio_outb (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:220) nct6775
? superio_inb (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:229) nct6775
? superio_exit (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:189) nct6775
? nct6775_asuswmi_read+0xc6/0xc6 nct6775
? 0xffffffffc0887000
do_one_initcall+0xf4/0x2a1
? efi_enabled.constprop.0+0x50/0x50
? srso_alias_return_thunk+0x5/0xfbef5
? local_clock_noinstr+0xc/0xa8
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? kasan_unpoison+0x3c/0x47
do_init_module+0x272/0x5a2
? kfree+0xc8/0x14f
load_module+0x3529/0x386d
? module_frob_arch_sections+0x16/0x16
? __vmalloc_node+0xa9/0xc8
? mode_strip_umask.isra.0+0x73/0x73
? init_module_from_file+0xc4/0xfb
? srso_alias_return_thunk+0x5/0xfbef5
init_module_from_file+0xc4/0xfb
? __do_sys_init_module+0x19f/0x19f
? srso_alias_return_thunk+0x5/0xfbef5
? do_raw_spin_unlock+0x5d/0x1b6
__do_sys_finit_module+0x2b8/0x468
? init_module_from_file+0xfb/0xfb
do_syscall_64+0x84/0xee
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f3a1a92d479
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 87 89 0c 00 f7 d8 64 89 01 48
All code
========
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 87 89 0c 00 mov 0xc8987(%rip),%rcx # 0xc89c1
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d 87 89 0c 00 mov 0xc8987(%rip),%rcx # 0xc8997
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
RSP: 002b:00007ffe6900a178 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000055ee345bd630 RCX: 00007f3a1a92d479
RDX: 0000000000000000 RSI: 00007f3a1ad6f70f RDI: 0000000000000008
RBP: 0000000000000000 R08: 00007f3a1a9f6b20 R09: fffffffffffffe98
R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
R13: 00007f3a1ad6f70f R14: 000055ee345bd320 R15: 0000000000000000
</TASK>
The buggy address belongs to the variable:
_sub_I_65535_1+0x10f60/0xe5c nct6775_core
Memory state around the buggy address:
ffffffffc0863000: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
ffffffffc0863080: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
>ffffffffc0863100: 04 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
^
ffffffffc0863180: 04 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
ffffffffc0863200: 00 06 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
==================================================================
Disabling lock debugging due to kernel taint
[...]
Regards,
Erhard
next prev parent reply other threads:[~2024-02-21 0:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-20 13:01 BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 [nct6775_core] (kernel 6.8-rc5, amd64) Erhard Furtner
2024-02-20 15:45 ` Guenter Roeck
2024-02-21 0:41 ` Erhard Furtner [this message]
2024-02-21 7:20 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240221014152.53b995d4@yea \
--to=erhard_f@mailbox.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux@roeck-us.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.