* [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
@ 2024-09-17 18:03 Zach Wade
2024-09-18 13:48 ` srinivas pandruvada
0 siblings, 1 reply; 15+ messages in thread
From: Zach Wade @ 2024-09-17 18:03 UTC (permalink / raw)
To: srinivas.pandruvada, hdegoede, ilpo.jarvinen
Cc: platform-driver-x86, Zach Wade
In my vmware virtualization environment, after loading the
isst_if_common and isst_if_mbox_msr modules on the 64 core, the kasan
report was triggered.
After consulting the kernel manual (Documentation/arch/x86/topology.rst),
I think in _isst_if_get_pci_dev, topology_physical_package_id should be
replaced with topology_logical_package_id.
kasan bug report:
[ 19.411889] ==================================================================
[ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
[ 19.417368]
[ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10
[ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
[ 19.422687] Call Trace:
[ 19.424091] <TASK>
[ 19.425448] dump_stack_lvl+0x5d/0x80
[ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.428694] print_report+0x19d/0x52e
[ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.433539] kasan_report+0xf0/0x170
[ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
[ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
[ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
[ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
[ 19.444797] cpuhp_invoke_callback+0x221/0xec0
[ 19.446337] cpuhp_thread_fun+0x21b/0x610
[ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
[ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 19.452405] kthread+0x29c/0x350
[ 19.453817] ? __pfx_kthread+0x10/0x10
[ 19.455253] ret_from_fork+0x31/0x70
[ 19.456685] ? __pfx_kthread+0x10/0x10
[ 19.458114] ret_from_fork_asm+0x1a/0x30
[ 19.459573] </TASK>
[ 19.460853]
[ 19.462055] Allocated by task 1198:
[ 19.463410] kasan_save_stack+0x30/0x50
[ 19.464788] kasan_save_track+0x14/0x30
[ 19.466139] __kasan_kmalloc+0xaa/0xb0
[ 19.467465] __kmalloc+0x1cd/0x470
[ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
[ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
[ 19.471670] do_one_initcall+0xa4/0x380
[ 19.472903] do_init_module+0x238/0x760
[ 19.474105] load_module+0x5239/0x6f00
[ 19.475285] init_module_from_file+0xd1/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.478920] do_syscall_64+0x82/0x160
[ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 19.481292]
[ 19.482205] The buggy address belongs to the object at ffff888829e65000
which belongs to the cache kmalloc-512 of size 512
[ 19.484818] The buggy address is located 0 bytes to the right of
allocated 512-byte region [ffff888829e65000, ffff888829e65200)
[ 19.487447]
[ 19.488328] The buggy address belongs to the physical page:
[ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60
[ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
[ 19.493914] page_type: 0xffffffff()
[ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff
[ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 19.503784] page dumped because: kasan: bad access detected
[ 19.505058]
[ 19.505970] Memory state around the buggy address:
[ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.510014] ^
[ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.515367] ==================================================================
Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering")
Signed-off-by: Zach Wade <zachwade.k@gmail.com>
---
drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
index 10e21563fa46..80654aacd5bd 100644
--- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
@@ -316,7 +316,7 @@ static struct pci_dev *_isst_if_get_pci_dev(int cpu, int bus_no, int dev, int fn
cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
return NULL;
- pkg_id = topology_physical_package_id(cpu);
+ pkg_id = topology_logical_package_id(cpu);
bus_number = isst_cpu_info[cpu].bus_info[bus_no];
if (bus_number < 0)
--
2.46.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-17 18:03 [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Zach Wade
@ 2024-09-18 13:48 ` srinivas pandruvada
2024-09-18 16:37 ` Zach Wade
0 siblings, 1 reply; 15+ messages in thread
From: srinivas pandruvada @ 2024-09-18 13:48 UTC (permalink / raw)
To: Zach Wade, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
Hi Wade,
On Wed, 2024-09-18 at 02:03 +0800, Zach Wade wrote:
> In my vmware virtualization environment,
How are you using this driver is virtualized environment?
Did you assign this PCI device to particular VM?
SST functions are not supported in virtualized environment as PM
functions can't be isolated (There may be some private implementation
where they can assign all CPUs in a package to VM). Even if you assign
this device, there are other MSRs needs to be virtualized.
Here on the virtualized environment, seems the
topology_physical_package_id() (from CPU APIC ID in non virtualized
case) is assigned some big value, which is more than max packages in
the system.
But your fix is good as topology_logical_package_id() should be less
than value returned by topology_max_packages() and hence avoid this
issue.
Can you confirm the value returned by topology_logical_package_id() and
topology_physical_package_id()?
We can change commit description based on that.
Thanks,
Srinivas
> after loading the
> isst_if_common and isst_if_mbox_msr modules on the 64 core, the kasan
> report was triggered.
> After consulting the kernel manual
> (Documentation/arch/x86/topology.rst),
> I think in _isst_if_get_pci_dev, topology_physical_package_id should
> be
> replaced with topology_logical_package_id.
>
> kasan bug report:
> [ 19.411889]
> ==================================================================
> [ 19.413702] BUG: KASAN: slab-out-of-bounds in
> _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
> cpuhp/16/113
> [ 19.417368]
> [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
> E 6.9.0 #10
> [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop
> Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
> 07/28/2022
> [ 19.422687] Call Trace:
> [ 19.424091] <TASK>
> [ 19.425448] dump_stack_lvl+0x5d/0x80
> [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.428694] print_report+0x19d/0x52e
> [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.433539] kasan_report+0xf0/0x170
> [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
> [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
> [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
> [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
> [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
> [ 19.446337] cpuhp_thread_fun+0x21b/0x610
> [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
> [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
> [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
> [ 19.452405] kthread+0x29c/0x350
> [ 19.453817] ? __pfx_kthread+0x10/0x10
> [ 19.455253] ret_from_fork+0x31/0x70
> [ 19.456685] ? __pfx_kthread+0x10/0x10
> [ 19.458114] ret_from_fork_asm+0x1a/0x30
> [ 19.459573] </TASK>
> [ 19.460853]
> [ 19.462055] Allocated by task 1198:
> [ 19.463410] kasan_save_stack+0x30/0x50
> [ 19.464788] kasan_save_track+0x14/0x30
> [ 19.466139] __kasan_kmalloc+0xaa/0xb0
> [ 19.467465] __kmalloc+0x1cd/0x470
> [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
> [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
> [ 19.471670] do_one_initcall+0xa4/0x380
> [ 19.472903] do_init_module+0x238/0x760
> [ 19.474105] load_module+0x5239/0x6f00
> [ 19.475285] init_module_from_file+0xd1/0x130
> [ 19.476506] idempotent_init_module+0x23b/0x650
> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> [ 19.476506] idempotent_init_module+0x23b/0x650
> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> [ 19.478920] do_syscall_64+0x82/0x160
> [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 19.481292]
> [ 19.482205] The buggy address belongs to the object at
> ffff888829e65000
> which belongs to the cache kmalloc-512 of size 512
> [ 19.484818] The buggy address is located 0 bytes to the right of
> allocated 512-byte region [ffff888829e65000, ffff888829e65200)
> [ 19.487447]
> [ 19.488328] The buggy address belongs to the physical page:
> [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff888829e60c00 pfn:0x829e60
> [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
> pincount:0
> [ 19.492466] anon flags:
> 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
> [ 19.493914] page_type: 0xffffffff()
> [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
> 0000000000000000 0000000000000001
> [ 19.496451] raw: ffff888829e60c00 0000000080200018
> 00000001ffffffff 0000000000000000
> [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
> 0000000000000000 0000000000000001
> [ 19.499379] head: ffff888829e60c00 0000000080200018
> 00000001ffffffff 0000000000000000
> [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
> ffffea0020a79848 00000000ffffffff
> [ 19.502316] head: 0000000800000000 0000000000000000
> 00000000ffffffff 0000000000000000
> [ 19.503784] page dumped because: kasan: bad access detected
> [ 19.505058]
> [ 19.505970] Memory state around the buggy address:
> [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00
> [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00
> [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.510014] ^
> [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.515367]
> ==================================================================
>
> Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with
> Sub-NUMA clustering")
> Signed-off-by: Zach Wade <zachwade.k@gmail.com>
> ---
> drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
> a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> index 10e21563fa46..80654aacd5bd 100644
> --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> @@ -316,7 +316,7 @@ static struct pci_dev *_isst_if_get_pci_dev(int
> cpu, int bus_no, int dev, int fn
> cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
> return NULL;
>
> - pkg_id = topology_physical_package_id(cpu);
> + pkg_id = topology_logical_package_id(cpu);
>
> bus_number = isst_cpu_info[cpu].bus_info[bus_no];
> if (bus_number < 0)
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-18 13:48 ` srinivas pandruvada
@ 2024-09-18 16:37 ` Zach Wade
2024-09-18 17:41 ` srinivas pandruvada
0 siblings, 1 reply; 15+ messages in thread
From: Zach Wade @ 2024-09-18 16:37 UTC (permalink / raw)
To: srinivas pandruvada, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
> On 2024/9/18 21:48, srinivas pandruvada wrote:
>> Hi Wade,
>>
>> On Wed, 2024-09-18 at 02:03 +0800, Zach Wade wrote:
>>> In my vmware virtualization environment,
>>
>> How are you using this driver is virtualized environment?
>> Did you assign this PCI device to particular VM?
Hi pandruvada,
Sorry, I misread my previous configuration. Please update the virtual
machine configuration to 32 core, 64GB. I have directly connected two
physical hard drives to the virtual machine.Unfortunately, the lspci
-vvs "PCI ID" did not detect any PCI devicesusing the isst_if_max_msr
driver.
>>
>> SST functions are not supported in virtualized environment as PM
>> functions can't be isolated (There may be some private implementation
>> where they can assign all CPUs in a package to VM). Even if you assign
>> this device, there are other MSRs needs to be virtualized.
>>
>> Here on the virtualized environment, seems the
>> topology_physical_package_id() (from CPU APIC ID in non virtualized
>> case) is assigned some big value, which is more than max packages in
>> the system.
>>
>> But your fix is good as topology_logical_package_id() should be less
>> than value returned by topology_max_packages() and hence avoid this
>> issue.
>>
>> Can you confirm the value returned by topology_logical_package_id() and
>> topology_physical_package_id()?
cat /proc/cpuinfo | grep "physical id"
physical id : 0
physical id : 2
physical id : 4
......
physical id : 58
physical id : 60
physical id : 62
I calculated topology_max_packages() * sizeof (* isst_pkg.info) in
isst_if_cpu_info_init, and focused on pkg_id and bus_no in
_isst_if_get_pci_dev.
The printk printed result is as follows:
[ 51.879700] Allocated size: 512
[ 51.880148] pkg_id: 0, bus_no: 0
[ 51.881242] pkg_id: 0, bus_no: 1
[ 51.884209] pkg_id: 2, bus_no: 0
[ 51.884571] pkg_id: 2, bus_no: 1
[ 51.884931] pkg_id: 4, bus_no: 0
[ 51.885313] pkg_id: 4, bus_no: 1
......
[ 51.899134] pkg_id: 28, bus_no: 0
[ 51.899511] pkg_id: 28, bus_no: 1
[ 51.899909] pkg_id: 30, bus_no: 0
[ 51.901012] pkg_id: 30, bus_no: 1
[ 51.902160]
==================================================================
[ 51.902936] BUG: KASAN: slab-out-of-bounds in
_isst_if_get_pci_dev.cold+0xde/0xe4 [isst_if_common]
[ 51.982707]
==================================================================
[ 51.985453] pkg_id: 32, bus_no: 0
[ 51.986569] pkg_id: 32, bus_no: 1
[ 51.988501] pkg_id: 34, bus_no: 0
[ 51.989616] pkg_id: 34, bus_no: 1
......
[ 52.059749] pkg_id: 58, bus_no: 0
[ 52.062331] pkg_id: 58, bus_no: 1
[ 52.066039] pkg_id: 60, bus_no: 0
[ 52.068503] pkg_id: 60, bus_no: 1
[ 52.072018] pkg_id: 62, bus_no: 0
[ 52.074375] pkg_id: 62, bus_no: 1
>>
>> We can change commit description based on that.
>>
>> Thanks,
>> Srinivas
>>
I think the changes are minor, so no more content was added to the patch.
If you think it needs to be added, I am happy for you to help supplement
it.
Thanks,
Zach
>> after loading the
>> isst_if_common and isst_if_mbox_msr modules on the 64 core, the kasan
>> report was triggered.
>> After consulting the kernel manual
>> (Documentation/arch/x86/topology.rst),
>> I think in _isst_if_get_pci_dev, topology_physical_package_id should
>> be
>> replaced with topology_logical_package_id.
>>
>> kasan bug report:
>> [ 19.411889]
>> ==================================================================
>> [ 19.413702] BUG: KASAN: slab-out-of-bounds in
>> _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
>> cpuhp/16/113
>> [ 19.417368]
>> [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
>> E 6.9.0 #10
>> [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop
>> Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
>> 07/28/2022
>> [ 19.422687] Call Trace:
>> [ 19.424091] <TASK>
>> [ 19.425448] dump_stack_lvl+0x5d/0x80
>> [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.428694] print_report+0x19d/0x52e
>> [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
>> [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.433539] kasan_report+0xf0/0x170
>> [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
>> [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
>> [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
>> [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
>> [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
>> [ 19.446337] cpuhp_thread_fun+0x21b/0x610
>> [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
>> [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
>> [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
>> [ 19.452405] kthread+0x29c/0x350
>> [ 19.453817] ? __pfx_kthread+0x10/0x10
>> [ 19.455253] ret_from_fork+0x31/0x70
>> [ 19.456685] ? __pfx_kthread+0x10/0x10
>> [ 19.458114] ret_from_fork_asm+0x1a/0x30
>> [ 19.459573] </TASK>
>> [ 19.460853]
>> [ 19.462055] Allocated by task 1198:
>> [ 19.463410] kasan_save_stack+0x30/0x50
>> [ 19.464788] kasan_save_track+0x14/0x30
>> [ 19.466139] __kasan_kmalloc+0xaa/0xb0
>> [ 19.467465] __kmalloc+0x1cd/0x470
>> [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
>> [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
>> [ 19.471670] do_one_initcall+0xa4/0x380
>> [ 19.472903] do_init_module+0x238/0x760
>> [ 19.474105] load_module+0x5239/0x6f00
>> [ 19.475285] init_module_from_file+0xd1/0x130
>> [ 19.476506] idempotent_init_module+0x23b/0x650
>> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
>> [ 19.476506] idempotent_init_module+0x23b/0x650
>> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
>> [ 19.478920] do_syscall_64+0x82/0x160
>> [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> [ 19.481292]
>> [ 19.482205] The buggy address belongs to the object at
>> ffff888829e65000
>> which belongs to the cache kmalloc-512 of size 512
>> [ 19.484818] The buggy address is located 0 bytes to the right of
>> allocated 512-byte region [ffff888829e65000, ffff888829e65200)
>> [ 19.487447]
>> [ 19.488328] The buggy address belongs to the physical page:
>> [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000
>> index:0xffff888829e60c00 pfn:0x829e60
>> [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
>> pincount:0
>> [ 19.492466] anon flags:
>> 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
>> [ 19.493914] page_type: 0xffffffff()
>> [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
>> 0000000000000000 0000000000000001
>> [ 19.496451] raw: ffff888829e60c00 0000000080200018
>> 00000001ffffffff 0000000000000000
>> [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
>> 0000000000000000 0000000000000001
>> [ 19.499379] head: ffff888829e60c00 0000000080200018
>> 00000001ffffffff 0000000000000000
>> [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
>> ffffea0020a79848 00000000ffffffff
>> [ 19.502316] head: 0000000800000000 0000000000000000
>> 00000000ffffffff 0000000000000000
>> [ 19.503784] page dumped because: kasan: bad access detected
>> [ 19.505058]
>> [ 19.505970] Memory state around the buggy address:
>> [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00
>> 00 00 00 00
>> [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00
>> 00 00 00 00
>> [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc
>> fc fc fc fc
>> [ 19.510014] ^
>> [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc
>> fc fc fc fc
>> [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc
>> fc fc fc fc
>> [ 19.515367]
>> ==================================================================
>>
>> Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with
>> Sub-NUMA clustering")
>> Signed-off-by: Zach Wade <zachwade.k@gmail.com>
>> ---
>> drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git
>> a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>> b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>> index 10e21563fa46..80654aacd5bd 100644
>> --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>> +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>> @@ -316,7 +316,7 @@ static struct pci_dev *_isst_if_get_pci_dev(int
>> cpu, int bus_no, int dev, int fn
>> cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
>> return NULL;
>>
>> - pkg_id = topology_physical_package_id(cpu);
>> + pkg_id = topology_logical_package_id(cpu);
>>
>> bus_number = isst_cpu_info[cpu].bus_info[bus_no];
>> if (bus_number < 0)
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-18 16:37 ` Zach Wade
@ 2024-09-18 17:41 ` srinivas pandruvada
2024-09-19 16:22 ` Zach Wade
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: srinivas pandruvada @ 2024-09-18 17:41 UTC (permalink / raw)
To: Zach Wade, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
On Thu, 2024-09-19 at 00:37 +0800, Zach Wade wrote:
>
>
> > On 2024/9/18 21:48, srinivas pandruvada wrote:
> > > Hi Wade,
> > >
> > > On Wed, 2024-09-18 at 02:03 +0800, Zach Wade wrote:
> > > > In my vmware virtualization environment,
> > >
> > > How are you using this driver is virtualized environment?
> > > Did you assign this PCI device to particular VM?
>
> Hi pandruvada,
> Sorry, I misread my previous configuration. Please update the virtual
> machine configuration to 32 core, 64GB. I have directly connected two
> physical hard drives to the virtual machine.
What is the dependency of physical hard drive?
> Unfortunately, the lspci
> -vvs "PCI ID" did not detect any PCI devicesusing the isst_if_max_msr
> driver.
>
> > >
> > > SST functions are not supported in virtualized environment as PM
> > > functions can't be isolated (There may be some private
> > > implementation
> > > where they can assign all CPUs in a package to VM). Even if you
> > > assign
> > > this device, there are other MSRs needs to be virtualized.
> > >
Do you need to do anything to load this driver in VMware VM?
I don't think lspci in VM will show this device.
Can you send lspci -k?
I want to make sure somehow your other VM PCI device is using same ID
as this device.
> > > Here on the virtualized environment, seems the
> > > topology_physical_package_id() (from CPU APIC ID in non
> > > virtualized
> > > case) is assigned some big value, which is more than max packages
> > > in
> > > the system.
> > >
> > > But your fix is good as topology_logical_package_id() should be
> > > less
> > > than value returned by topology_max_packages() and hence avoid
> > > this
> > > issue.
> > >
> > > Can you confirm the value returned by
> > > topology_logical_package_id() and
> > > topology_physical_package_id()?
>
> cat /proc/cpuinfo | grep "physical id"
> physical id : 0
> physical id : 2
> physical id : 4
> ......
> physical id : 58
> physical id : 60
> physical id : 62
>
> I calculated topology_max_packages() * sizeof (* isst_pkg.info) in
> isst_if_cpu_info_init, and focused on pkg_id and bus_no in
> _isst_if_get_pci_dev.
> The printk printed result is as follows:
> [ 51.879700] Allocated size: 512
Here topology_max_packages() returned 32.
> [ 51.880148] pkg_id: 0, bus_no: 0
> [ 51.881242] pkg_id: 0, bus_no: 1
> [ 51.884209] pkg_id: 2, bus_no: 0
> [ 51.884571] pkg_id: 2, bus_no: 1
> [ 51.884931] pkg_id: 4, bus_no: 0
> [ 51.885313] pkg_id: 4, bus_no: 1
> ......
> [ 51.899134] pkg_id: 28, bus_no: 0
> [ 51.899511] pkg_id: 28, bus_no: 1
> [ 51.899909] pkg_id: 30, bus_no: 0
> [ 51.901012] pkg_id: 30, bus_no: 1
> [ 51.902160]
> ==================================================================
> [ 51.902936] BUG: KASAN: slab-out-of-bounds in
> _isst_if_get_pci_dev.cold+0xde/0xe4 [isst_if_common]
> [ 51.982707]
> ==================================================================
Package ID is 32, so it will overflow. There seems to be only 32
packages.
If you print topology_logical_package_id(), you will have no gaps, and
will be 0-31.
Can you also print topology_logical_package_id() to confirm.
topology_max_packages() returns max __max_logical_packages, so
topology_logical_package_id() will be better here.
> [ 51.985453] pkg_id: 32, bus_no: 0
> [ 51.986569] pkg_id: 32, bus_no: 1
> [ 51.988501] pkg_id: 34, bus_no: 0
> [ 51.989616] pkg_id: 34, bus_no: 1
> ......
> [ 52.059749] pkg_id: 58, bus_no: 0
> [ 52.062331] pkg_id: 58, bus_no: 1
> [ 52.066039] pkg_id: 60, bus_no: 0
> [ 52.068503] pkg_id: 60, bus_no: 1
> [ 52.072018] pkg_id: 62, bus_no: 0
> [ 52.074375] pkg_id: 62, bus_no: 1
>
> > >
> > > We can change commit description based on that.
> > >
> > > Thanks,
> > > Srinivas
> > >
>
> I think the changes are minor, so no more content was added to the
> patch.
> If you think it needs to be added, I am happy for you to help
> supplement
> it.
I just want to be clear how to reproduce this issue.
"
Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
Then you can add the kasan bug report.
The reason for this error is physical_package_ids assigned by VMM have
holes. This will cause value returned by topology_physical_package_id()
to be more than topology_max_packages(). The allocation uses
topology_max_packages() to allocate memory. topology_max_packages()
returns maximum logical package IDs. Hence use
topology_logical_package_id() instead of
topology_physical_package_id().
"
Also we should add a check
pkg_id = topology_logical_package_id(cpu);
if (pkg_id >= topology_max_packages())
return NULL;
May be VMM has holes in logical IDs also, then atleast it will not
cause BUG.
Thanks,
Srinivas
> Thanks,
> Zach
>
> > > after loading the
> > > isst_if_common and isst_if_mbox_msr modules on the 64 core, the
> > > kasan
> > > report was triggered.
> > > After consulting the kernel manual
> > > (Documentation/arch/x86/topology.rst),
> > > I think in _isst_if_get_pci_dev, topology_physical_package_id
> > > should
> > > be
> > > replaced with topology_logical_package_id.
> > >
> > > kasan bug report:
> > > [ 19.411889]
> > > =================================================================
> > > =
> > > [ 19.413702] BUG: KASAN: slab-out-of-bounds in
> > > _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> > > [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
> > > cpuhp/16/113
> > > [ 19.417368]
> > > [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
> > > E 6.9.0 #10
> > > [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX
> > > Desktop
> > > Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
> > > 07/28/2022
> > > [ 19.422687] Call Trace:
> > > [ 19.424091] <TASK>
> > > [ 19.425448] dump_stack_lvl+0x5d/0x80
> > > [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > [isst_if_common]
> > > [ 19.428694] print_report+0x19d/0x52e
> > > [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> > > [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > [isst_if_common]
> > > [ 19.433539] kasan_report+0xf0/0x170
> > > [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > [isst_if_common]
> > > [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> > > [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
> > > [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
> > > [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10
> > > [isst_if_common]
> > > [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
> > > [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
> > > [ 19.446337] cpuhp_thread_fun+0x21b/0x610
> > > [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
> > > [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
> > > [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
> > > [ 19.452405] kthread+0x29c/0x350
> > > [ 19.453817] ? __pfx_kthread+0x10/0x10
> > > [ 19.455253] ret_from_fork+0x31/0x70
> > > [ 19.456685] ? __pfx_kthread+0x10/0x10
> > > [ 19.458114] ret_from_fork_asm+0x1a/0x30
> > > [ 19.459573] </TASK>
> > > [ 19.460853]
> > > [ 19.462055] Allocated by task 1198:
> > > [ 19.463410] kasan_save_stack+0x30/0x50
> > > [ 19.464788] kasan_save_track+0x14/0x30
> > > [ 19.466139] __kasan_kmalloc+0xaa/0xb0
> > > [ 19.467465] __kmalloc+0x1cd/0x470
> > > [ 19.468748] isst_if_cdev_register+0x1da/0x350
> > > [isst_if_common]
> > > [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
> > > [ 19.471670] do_one_initcall+0xa4/0x380
> > > [ 19.472903] do_init_module+0x238/0x760
> > > [ 19.474105] load_module+0x5239/0x6f00
> > > [ 19.475285] init_module_from_file+0xd1/0x130
> > > [ 19.476506] idempotent_init_module+0x23b/0x650
> > > [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> > > [ 19.476506] idempotent_init_module+0x23b/0x650
> > > [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> > > [ 19.478920] do_syscall_64+0x82/0x160
> > > [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> > > [ 19.481292]
> > > [ 19.482205] The buggy address belongs to the object at
> > > ffff888829e65000
> > > which belongs to the cache kmalloc-512 of size 512
> > > [ 19.484818] The buggy address is located 0 bytes to the right
> > > of
> > > allocated 512-byte region [ffff888829e65000, ffff888829e65200)
> > > [ 19.487447]
> > > [ 19.488328] The buggy address belongs to the physical page:
> > > [ 19.489569] page: refcount:1 mapcount:0
> > > mapping:0000000000000000
> > > index:0xffff888829e60c00 pfn:0x829e60
> > > [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
> > > pincount:0
> > > [ 19.492466] anon flags:
> > > 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
> > > [ 19.493914] page_type: 0xffffffff()
> > > [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
> > > 0000000000000000 0000000000000001
> > > [ 19.496451] raw: ffff888829e60c00 0000000080200018
> > > 00000001ffffffff 0000000000000000
> > > [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
> > > 0000000000000000 0000000000000001
> > > [ 19.499379] head: ffff888829e60c00 0000000080200018
> > > 00000001ffffffff 0000000000000000
> > > [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
> > > ffffea0020a79848 00000000ffffffff
> > > [ 19.502316] head: 0000000800000000 0000000000000000
> > > 00000000ffffffff 0000000000000000
> > > [ 19.503784] page dumped because: kasan: bad access detected
> > > [ 19.505058]
> > > [ 19.505970] Memory state around the buggy address:
> > > [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00
> > > 00 00
> > > 00 00 00 00
> > > [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00
> > > 00 00
> > > 00 00 00 00
> > > [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc
> > > fc fc
> > > fc fc fc fc
> > > [ 19.510014] ^
> > > [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc
> > > fc fc
> > > fc fc fc fc
> > > [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc
> > > fc fc
> > > fc fc fc fc
> > > [ 19.515367]
> > > =================================================================
> > > =
> > >
> > > Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping
> > > with
> > > Sub-NUMA clustering")
> > > Signed-off-by: Zach Wade <zachwade.k@gmail.com>
> > > ---
> > > drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 2
> > > +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git
> > > a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > index 10e21563fa46..80654aacd5bd 100644
> > > --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > @@ -316,7 +316,7 @@ static struct pci_dev
> > > *_isst_if_get_pci_dev(int
> > > cpu, int bus_no, int dev, int fn
> > > cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
> > > return NULL;
> > >
> > > - pkg_id = topology_physical_package_id(cpu);
> > > + pkg_id = topology_logical_package_id(cpu);
> > >
> > > bus_number = isst_cpu_info[cpu].bus_info[bus_no];
> > > if (bus_number < 0)
> >
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-18 17:41 ` srinivas pandruvada
@ 2024-09-19 16:22 ` Zach Wade
2024-09-19 18:37 ` srinivas pandruvada
2024-09-19 16:37 ` [PATCH v2] " Zach Wade
2024-09-23 14:45 ` [PATCH v3] " Zach Wade
2 siblings, 1 reply; 15+ messages in thread
From: Zach Wade @ 2024-09-19 16:22 UTC (permalink / raw)
To: srinivas pandruvada, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
On 2024/9/19 1:41, srinivas pandruvada wrote:
> On Thu, 2024-09-19 at 00:37 +0800, Zach Wade wrote:
>>
>>
>>> On 2024/9/18 21:48, srinivas pandruvada wrote:
>>>> Hi Wade,
>>>>
>>>> On Wed, 2024-09-18 at 02:03 +0800, Zach Wade wrote:
>>>>> In my vmware virtualization environment,
>>>>
>>>> How are you using this driver is virtualized environment?
>>>> Did you assign this PCI device to particular VM?
>>
>> Hi pandruvada,
>> Sorry, I misread my previous configuration. Please update the virtual
>> machine configuration to 32 core, 64GB. I have directly connected two
>> physical hard drives to the virtual machine.
> What is the dependency of physical hard drive?
>
>> Unfortunately, the lspci
>> -vvs "PCI ID" did not detect any PCI devicesusing the isst_if_max_msr
>> driver.
>>
>>>>
>>>> SST functions are not supported in virtualized environment as PM
>>>> functions can't be isolated (There may be some private
>>>> implementation
>>>> where they can assign all CPUs in a package to VM). Even if you
>>>> assign
>>>> this device, there are other MSRs needs to be virtualized.
>>>>
>
> Do you need to do anything to load this driver in VMware VM?
This issue was discovered when the hard drive was passed directly to the
virtual machine and the driver was automatically loaded.
The virtual machine executes lsblk internally and can see the physical
hard disk I am directly using:
lsblk -S
NAME HCTL TYPE VENDOR MODEL REV SERIAL
TRAN
sda 32:0:0:0 disk ATA SAMSUNG MZ7LH240HAHQ-00005 HXT7904Q
S45RNC0T166451
sdb 32:0:1:0 disk ATA INTEL SSDSC2KG480G8 XCV10100
BTYG84910BR5480BGN
> I don't think lspci in VM will show this device.
> Can you send lspci -k?
lspci -k
00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host
bridge (rev 01)
Subsystem: VMware Virtual Machine Chipset
00:01.0 PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP
bridge (rev 01)
00:07.0 ISA bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 08)
Subsystem: VMware Virtual Machine Chipset
00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01)
Subsystem: VMware Virtual Machine Chipset
Kernel driver in use: ata_piix
Kernel modules: pata_acpi, ata_generic
00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08)
Subsystem: VMware Virtual Machine Chipset
Kernel modules: i2c_piix4
00:07.7 System peripheral: VMware Virtual Machine Communication
Interface (rev 10)
Subsystem: VMware Virtual Machine Communication Interface
Kernel driver in use: vmw_vmci
Kernel modules: vmw_vmci
00:0f.0 VGA compatible controller: VMware SVGA II Adapter
Subsystem: VMware SVGA II Adapter
Kernel driver in use: vmwgfx
Kernel modules: vmwgfx
02:00.0 Serial Attached SCSI controller: VMware PVSCSI SCSI Controller
(rev 02)
DeviceName: SCSI0
Subsystem: VMware PVSCSI SCSI Controller
Kernel driver in use: vmw_pvscsi
Kernel modules: vmw_pvscsi
02:01.0 USB controller: VMware USB1.1 UHCI Controller
DeviceName: usb
Subsystem: VMware Device 1976
Kernel driver in use: uhci_hcd
02:02.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
DeviceName: Ethernet0
Subsystem: VMware VMXNET3 Ethernet Controller
Kernel driver in use: vmxnet3
Kernel modules: vmxnet3
02:03.0 USB controller: VMware USB2 EHCI Controller
DeviceName: ehci
Subsystem: VMware USB2 EHCI Controller
Kernel driver in use: ehci-pci
02:04.0 SATA controller: VMware SATA AHCI controller
DeviceName: sata0
Subsystem: VMware SATA AHCI controller
Kernel driver in use: ahci
>
> I want to make sure somehow your other VM PCI device is using same ID
> as this device.
>
Are you referring to transferring this hard drive to another virtual
machine? The action is too big, unfortunately I cannot do it this way.
This physical hard drive is only directly connected to this virtual
machine for use.
>
>>>> Here on the virtualized environment, seems the
>>>> topology_physical_package_id() (from CPU APIC ID in non
>>>> virtualized
>>>> case) is assigned some big value, which is more than max packages
>>>> in
>>>> the system.
>>>>
>>>> But your fix is good as topology_logical_package_id() should be
>>>> less
>>>> than value returned by topology_max_packages() and hence avoid
>>>> this
>>>> issue.
>>>>
>>>> Can you confirm the value returned by
>>>> topology_logical_package_id() and
>>>> topology_physical_package_id()?
>>
>> cat /proc/cpuinfo | grep "physical id"
>> physical id : 0
>> physical id : 2
>> physical id : 4
>> ......
>> physical id : 58
>> physical id : 60
>> physical id : 62
>
>>
>> I calculated topology_max_packages() * sizeof (* isst_pkg.info) in
>> isst_if_cpu_info_init, and focused on pkg_id and bus_no in
>> _isst_if_get_pci_dev.
>> The printk printed result is as follows:
>> [ 51.879700] Allocated size: 512
>
> Here topology_max_packages() returned 32.
yes.
>
>> [ 51.880148] pkg_id: 0, bus_no: 0
>> [ 51.881242] pkg_id: 0, bus_no: 1
>> [ 51.884209] pkg_id: 2, bus_no: 0
>> [ 51.884571] pkg_id: 2, bus_no: 1
>> [ 51.884931] pkg_id: 4, bus_no: 0
>> [ 51.885313] pkg_id: 4, bus_no: 1
>> ......
>> [ 51.899134] pkg_id: 28, bus_no: 0
>> [ 51.899511] pkg_id: 28, bus_no: 1
>> [ 51.899909] pkg_id: 30, bus_no: 0
>> [ 51.901012] pkg_id: 30, bus_no: 1
>> [ 51.902160]
>> ==================================================================
>> [ 51.902936] BUG: KASAN: slab-out-of-bounds in
>> _isst_if_get_pci_dev.cold+0xde/0xe4 [isst_if_common]
>> [ 51.982707]
>> ==================================================================
> Package ID is 32, so it will overflow. There seems to be only 32
> packages.
> If you print topology_logical_package_id(), you will have no gaps, and
> will be 0-31.
>
> Can you also print topology_logical_package_id() to confirm.
After adding printk to _isst_if_get_pci_dev, the changes in pkd_id can
be seen as follows:
[ 18.078652] pkg_id:0
[ 18.078669] pkg_id:0
[ 18.079215] pkg_id:1
[ 18.080920] pkg_id:1
[ 18.081847] pkg_id:2
[ 18.082756] pkg_id:2
[ 18.088928] pkg_id:3
[ 18.089839] pkg_id:3
......
[ 18.185462] pkg_id:30
[ 18.185471] pkg_id:30
[ 18.185561] pkg_id:31
[ 18.185569] pkg_id:31
>
> topology_max_packages() returns max __max_logical_packages, so
> topology_logical_package_id() will be better here.
>
>> [ 51.985453] pkg_id: 32, bus_no: 0
>> [ 51.986569] pkg_id: 32, bus_no: 1
>> [ 51.988501] pkg_id: 34, bus_no: 0
>> [ 51.989616] pkg_id: 34, bus_no: 1
>> ......
>> [ 52.059749] pkg_id: 58, bus_no: 0
>> [ 52.062331] pkg_id: 58, bus_no: 1
>> [ 52.066039] pkg_id: 60, bus_no: 0
>> [ 52.068503] pkg_id: 60, bus_no: 1
>> [ 52.072018] pkg_id: 62, bus_no: 0
>> [ 52.074375] pkg_id: 62, bus_no: 1
>>
>>>>
>>>> We can change commit description based on that.
>>>>
>>>> Thanks,
>>>> Srinivas
>>>>
>>
>> I think the changes are minor, so no more content was added to the
>> patch.
>> If you think it needs to be added, I am happy for you to help
>> supplement
>> it.
> I just want to be clear how to reproduce this issue.
>
> "
> Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
>
> Then you can add the kasan bug report.
>
> The reason for this error is physical_package_ids assigned by VMM have
> holes. This will cause value returned by topology_physical_package_id()
> to be more than topology_max_packages(). The allocation uses
> topology_max_packages() to allocate memory. topology_max_packages()
> returns maximum logical package IDs. Hence use
> topology_logical_package_id() instead of
> topology_physical_package_id().
> "
Thanks, I will make the necessary modifications in v2.
>
> Also we should add a check
>
> pkg_id = topology_logical_package_id(cpu);
> if (pkg_id >= topology_max_packages())
> return NULL;
>
> May be VMM has holes in logical IDs also, then atleast it will not
> cause BUG.
Great suggestion, I will add it in the new v2.
Thanks,
Srinivas
>
> Thanks,
> Srinivas
>
>
>> Thanks,
>> Zach
>>
>>>> after loading the
>>>> isst_if_common and isst_if_mbox_msr modules on the 64 core, the
>>>> kasan
>>>> report was triggered.
>>>> After consulting the kernel manual
>>>> (Documentation/arch/x86/topology.rst),
>>>> I think in _isst_if_get_pci_dev, topology_physical_package_id
>>>> should
>>>> be
>>>> replaced with topology_logical_package_id.
>>>>
>>>> kasan bug report:
>>>> [ 19.411889]
>>>> =================================================================
>>>> =
>>>> [ 19.413702] BUG: KASAN: slab-out-of-bounds in
>>>> _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>>>> [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
>>>> cpuhp/16/113
>>>> [ 19.417368]
>>>> [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
>>>> E 6.9.0 #10
>>>> [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX
>>>> Desktop
>>>> Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
>>>> 07/28/2022
>>>> [ 19.422687] Call Trace:
>>>> [ 19.424091] <TASK>
>>>> [ 19.425448] dump_stack_lvl+0x5d/0x80
>>>> [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400
>>>> [isst_if_common]
>>>> [ 19.428694] print_report+0x19d/0x52e
>>>> [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
>>>> [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400
>>>> [isst_if_common]
>>>> [ 19.433539] kasan_report+0xf0/0x170
>>>> [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400
>>>> [isst_if_common]
>>>> [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>>>> [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
>>>> [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
>>>> [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10
>>>> [isst_if_common]
>>>> [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
>>>> [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
>>>> [ 19.446337] cpuhp_thread_fun+0x21b/0x610
>>>> [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
>>>> [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
>>>> [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
>>>> [ 19.452405] kthread+0x29c/0x350
>>>> [ 19.453817] ? __pfx_kthread+0x10/0x10
>>>> [ 19.455253] ret_from_fork+0x31/0x70
>>>> [ 19.456685] ? __pfx_kthread+0x10/0x10
>>>> [ 19.458114] ret_from_fork_asm+0x1a/0x30
>>>> [ 19.459573] </TASK>
>>>> [ 19.460853]
>>>> [ 19.462055] Allocated by task 1198:
>>>> [ 19.463410] kasan_save_stack+0x30/0x50
>>>> [ 19.464788] kasan_save_track+0x14/0x30
>>>> [ 19.466139] __kasan_kmalloc+0xaa/0xb0
>>>> [ 19.467465] __kmalloc+0x1cd/0x470
>>>> [ 19.468748] isst_if_cdev_register+0x1da/0x350
>>>> [isst_if_common]
>>>> [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
>>>> [ 19.471670] do_one_initcall+0xa4/0x380
>>>> [ 19.472903] do_init_module+0x238/0x760
>>>> [ 19.474105] load_module+0x5239/0x6f00
>>>> [ 19.475285] init_module_from_file+0xd1/0x130
>>>> [ 19.476506] idempotent_init_module+0x23b/0x650
>>>> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
>>>> [ 19.476506] idempotent_init_module+0x23b/0x650
>>>> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
>>>> [ 19.478920] do_syscall_64+0x82/0x160
>>>> [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>>> [ 19.481292]
>>>> [ 19.482205] The buggy address belongs to the object at
>>>> ffff888829e65000
>>>> which belongs to the cache kmalloc-512 of size 512
>>>> [ 19.484818] The buggy address is located 0 bytes to the right
>>>> of
>>>> allocated 512-byte region [ffff888829e65000, ffff888829e65200)
>>>> [ 19.487447]
>>>> [ 19.488328] The buggy address belongs to the physical page:
>>>> [ 19.489569] page: refcount:1 mapcount:0
>>>> mapping:0000000000000000
>>>> index:0xffff888829e60c00 pfn:0x829e60
>>>> [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
>>>> pincount:0
>>>> [ 19.492466] anon flags:
>>>> 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
>>>> [ 19.493914] page_type: 0xffffffff()
>>>> [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
>>>> 0000000000000000 0000000000000001
>>>> [ 19.496451] raw: ffff888829e60c00 0000000080200018
>>>> 00000001ffffffff 0000000000000000
>>>> [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
>>>> 0000000000000000 0000000000000001
>>>> [ 19.499379] head: ffff888829e60c00 0000000080200018
>>>> 00000001ffffffff 0000000000000000
>>>> [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
>>>> ffffea0020a79848 00000000ffffffff
>>>> [ 19.502316] head: 0000000800000000 0000000000000000
>>>> 00000000ffffffff 0000000000000000
>>>> [ 19.503784] page dumped because: kasan: bad access detected
>>>> [ 19.505058]
>>>> [ 19.505970] Memory state around the buggy address:
>>>> [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00
>>>> 00 00
>>>> 00 00 00 00
>>>> [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00
>>>> 00 00
>>>> 00 00 00 00
>>>> [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc
>>>> fc fc
>>>> fc fc fc fc
>>>> [ 19.510014] ^
>>>> [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc
>>>> fc fc
>>>> fc fc fc fc
>>>> [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc
>>>> fc fc
>>>> fc fc fc fc
>>>> [ 19.515367]
>>>> =================================================================
>>>> =
>>>>
>>>> Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping
>>>> with
>>>> Sub-NUMA clustering")
>>>> Signed-off-by: Zach Wade <zachwade.k@gmail.com>
>>>> ---
>>>> drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 2
>>>> +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git
>>>> a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>>>> b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>>>> index 10e21563fa46..80654aacd5bd 100644
>>>> --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>>>> +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>>>> @@ -316,7 +316,7 @@ static struct pci_dev
>>>> *_isst_if_get_pci_dev(int
>>>> cpu, int bus_no, int dev, int fn
>>>> cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
>>>> return NULL;
>>>>
>>>> - pkg_id = topology_physical_package_id(cpu);
>>>> + pkg_id = topology_logical_package_id(cpu);
>>>>
>>>> bus_number = isst_cpu_info[cpu].bus_info[bus_no];
>>>> if (bus_number < 0)
>>>
>>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v2] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-18 17:41 ` srinivas pandruvada
2024-09-19 16:22 ` Zach Wade
@ 2024-09-19 16:37 ` Zach Wade
2024-09-19 18:44 ` srinivas pandruvada
2024-09-23 14:45 ` [PATCH v3] " Zach Wade
2 siblings, 1 reply; 15+ messages in thread
From: Zach Wade @ 2024-09-19 16:37 UTC (permalink / raw)
To: srinivas.pandruvada, hdegoede, ilpo.jarvinen
Cc: platform-driver-x86, Zach Wade
Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
kasan report:
[ 19.411889] ==================================================================
[ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
[ 19.417368]
[ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10
[ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
[ 19.422687] Call Trace:
[ 19.424091] <TASK>
[ 19.425448] dump_stack_lvl+0x5d/0x80
[ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.428694] print_report+0x19d/0x52e
[ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.433539] kasan_report+0xf0/0x170
[ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
[ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
[ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
[ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
[ 19.444797] cpuhp_invoke_callback+0x221/0xec0
[ 19.446337] cpuhp_thread_fun+0x21b/0x610
[ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
[ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 19.452405] kthread+0x29c/0x350
[ 19.453817] ? __pfx_kthread+0x10/0x10
[ 19.455253] ret_from_fork+0x31/0x70
[ 19.456685] ? __pfx_kthread+0x10/0x10
[ 19.458114] ret_from_fork_asm+0x1a/0x30
[ 19.459573] </TASK>
[ 19.460853]
[ 19.462055] Allocated by task 1198:
[ 19.463410] kasan_save_stack+0x30/0x50
[ 19.464788] kasan_save_track+0x14/0x30
[ 19.466139] __kasan_kmalloc+0xaa/0xb0
[ 19.467465] __kmalloc+0x1cd/0x470
[ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
[ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
[ 19.471670] do_one_initcall+0xa4/0x380
[ 19.472903] do_init_module+0x238/0x760
[ 19.474105] load_module+0x5239/0x6f00
[ 19.475285] init_module_from_file+0xd1/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.478920] do_syscall_64+0x82/0x160
[ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 19.481292]
[ 19.482205] The buggy address belongs to the object at ffff888829e65000
which belongs to the cache kmalloc-512 of size 512
[ 19.484818] The buggy address is located 0 bytes to the right of
allocated 512-byte region [ffff888829e65000, ffff888829e65200)
[ 19.487447]
[ 19.488328] The buggy address belongs to the physical page:
[ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60
[ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
[ 19.493914] page_type: 0xffffffff()
[ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff
[ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 19.503784] page dumped because: kasan: bad access detected
[ 19.505058]
[ 19.505970] Memory state around the buggy address:
[ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.510014] ^
[ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.515367] ==================================================================
The reason for this error is physical_package_ids assigned by VMM have
holes. This will cause value returned by topology_physical_package_id()
to be more than topology_max_packages(). The allocation uses
topology_max_packages() to allocate memory. topology_max_packages()
returns maximum logical package IDs. Hence use
topology_logical_package_id() instead of
topology_physical_package_id().
Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering")
Signed-off-by: Zach Wade <zachwade.k@gmail.com>
---
drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
index 10e21563fa46..030c33070b84 100644
--- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
@@ -316,7 +316,9 @@ static struct pci_dev *_isst_if_get_pci_dev(int cpu, int bus_no, int dev, int fn
cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
return NULL;
- pkg_id = topology_physical_package_id(cpu);
+ pkg_id = topology_logical_package_id(cpu);
+ if (pkg_id >= topology_max_packages())
+ return NULL;
bus_number = isst_cpu_info[cpu].bus_info[bus_no];
if (bus_number < 0)
--
2.46.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-19 16:22 ` Zach Wade
@ 2024-09-19 18:37 ` srinivas pandruvada
2024-09-20 16:16 ` Zach Wade
0 siblings, 1 reply; 15+ messages in thread
From: srinivas pandruvada @ 2024-09-19 18:37 UTC (permalink / raw)
To: Zach Wade, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
On Fri, 2024-09-20 at 00:22 +0800, Zach Wade wrote:
>
>
>
Hi Wade,
...
...
> This issue was discovered when the hard drive was passed directly to
> the
> virtual machine and the driver was automatically loaded.
>
> The virtual machine executes lsblk internally and can see the
> physical
> hard disk I am directly using:
> lsblk -S
> NAME HCTL TYPE VENDOR MODEL REV
> SERIAL
> TRAN
> sda 32:0:0:0 disk ATA SAMSUNG MZ7LH240HAHQ-00005 HXT7904Q
> S45RNC0T166451
> sdb 32:0:1:0 disk ATA INTEL SSDSC2KG480G8 XCV10100
> BTYG84910BR5480BGN
>
So seems these devices are using same PCI Intel vendor device ID as SST
device after emulation.
These are not SST devices.
What is
sudo lspci -vvv
Also cat /proc/cpuinfo?
Thanks,
Srinivas
>
> > I don't think lspci in VM will show this device.
> > Can you send lspci -k?
>
> lspci -k
> 00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX
> Host
> bridge (rev 01)
> Subsystem: VMware Virtual Machine Chipset
> 00:01.0 PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP
> bridge (rev 01)
> 00:07.0 ISA bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev
> 08)
> Subsystem: VMware Virtual Machine Chipset
> 00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev
> 01)
> Subsystem: VMware Virtual Machine Chipset
> Kernel driver in use: ata_piix
> Kernel modules: pata_acpi, ata_generic
> 00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08)
> Subsystem: VMware Virtual Machine Chipset
> Kernel modules: i2c_piix4
> 00:07.7 System peripheral: VMware Virtual Machine Communication
> Interface (rev 10)
> Subsystem: VMware Virtual Machine Communication Interface
> Kernel driver in use: vmw_vmci
> Kernel modules: vmw_vmci
> 00:0f.0 VGA compatible controller: VMware SVGA II Adapter
> Subsystem: VMware SVGA II Adapter
> Kernel driver in use: vmwgfx
> Kernel modules: vmwgfx
> 02:00.0 Serial Attached SCSI controller: VMware PVSCSI SCSI
> Controller
> (rev 02)
> DeviceName: SCSI0
> Subsystem: VMware PVSCSI SCSI Controller
> Kernel driver in use: vmw_pvscsi
> Kernel modules: vmw_pvscsi
> 02:01.0 USB controller: VMware USB1.1 UHCI Controller
> DeviceName: usb
> Subsystem: VMware Device 1976
> Kernel driver in use: uhci_hcd
> 02:02.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev
> 01)
> DeviceName: Ethernet0
> Subsystem: VMware VMXNET3 Ethernet Controller
> Kernel driver in use: vmxnet3
> Kernel modules: vmxnet3
> 02:03.0 USB controller: VMware USB2 EHCI Controller
> DeviceName: ehci
> Subsystem: VMware USB2 EHCI Controller
> Kernel driver in use: ehci-pci
> 02:04.0 SATA controller: VMware SATA AHCI controller
> DeviceName: sata0
> Subsystem: VMware SATA AHCI controller
> Kernel driver in use: ahci
>
> >
This is not complete list.
> > I want to make sure somehow your other VM PCI device is using same
> > ID
> > as this device.
> >
>
> Are you referring to transferring this hard drive to another virtual
> machine? The action is too big, unfortunately I cannot do it this
> way.
> This physical hard drive is only directly connected to this virtual
> machine for use.
>
> >
> > > > > Here on the virtualized environment, seems the
> > > > > topology_physical_package_id() (from CPU APIC ID in non
> > > > > virtualized
> > > > > case) is assigned some big value, which is more than max
> > > > > packages
> > > > > in
> > > > > the system.
> > > > >
> > > > > But your fix is good as topology_logical_package_id() should
> > > > > be
> > > > > less
> > > > > than value returned by topology_max_packages() and hence
> > > > > avoid
> > > > > this
> > > > > issue.
> > > > >
> > > > > Can you confirm the value returned by
> > > > > topology_logical_package_id() and
> > > > > topology_physical_package_id()?
> > >
> > > cat /proc/cpuinfo | grep "physical id"
> > > physical id : 0
> > > physical id : 2
> > > physical id : 4
> > > ......
> > > physical id : 58
> > > physical id : 60
> > > physical id : 62
> >
> > >
> > > I calculated topology_max_packages() * sizeof (* isst_pkg.info)
> > > in
> > > isst_if_cpu_info_init, and focused on pkg_id and bus_no in
> > > _isst_if_get_pci_dev.
> > > The printk printed result is as follows:
> > > [ 51.879700] Allocated size: 512
> >
> > Here topology_max_packages() returned 32.
>
> yes.
>
> >
> > > [ 51.880148] pkg_id: 0, bus_no: 0
> > > [ 51.881242] pkg_id: 0, bus_no: 1
> > > [ 51.884209] pkg_id: 2, bus_no: 0
> > > [ 51.884571] pkg_id: 2, bus_no: 1
> > > [ 51.884931] pkg_id: 4, bus_no: 0
> > > [ 51.885313] pkg_id: 4, bus_no: 1
> > > ......
> > > [ 51.899134] pkg_id: 28, bus_no: 0
> > > [ 51.899511] pkg_id: 28, bus_no: 1
> > > [ 51.899909] pkg_id: 30, bus_no: 0
> > > [ 51.901012] pkg_id: 30, bus_no: 1
> > > [ 51.902160]
> > > =================================================================
> > > =
> > > [ 51.902936] BUG: KASAN: slab-out-of-bounds in
> > > _isst_if_get_pci_dev.cold+0xde/0xe4 [isst_if_common]
> > > [ 51.982707]
> > > =================================================================
> > > =
> > Package ID is 32, so it will overflow. There seems to be only 32
> > packages.
> > If you print topology_logical_package_id(), you will have no gaps,
> > and
> > will be 0-31.
> >
> > Can you also print topology_logical_package_id() to confirm.
>
> After adding printk to _isst_if_get_pci_dev, the changes in pkd_id
> can
> be seen as follows:
> [ 18.078652] pkg_id:0
> [ 18.078669] pkg_id:0
> [ 18.079215] pkg_id:1
> [ 18.080920] pkg_id:1
> [ 18.081847] pkg_id:2
> [ 18.082756] pkg_id:2
> [ 18.088928] pkg_id:3
> [ 18.089839] pkg_id:3
> ......
> [ 18.185462] pkg_id:30
> [ 18.185471] pkg_id:30
> [ 18.185561] pkg_id:31
> [ 18.185569] pkg_id:31
>
> >
> > topology_max_packages() returns max __max_logical_packages, so
> > topology_logical_package_id() will be better here.
> >
> > > [ 51.985453] pkg_id: 32, bus_no: 0
> > > [ 51.986569] pkg_id: 32, bus_no: 1
> > > [ 51.988501] pkg_id: 34, bus_no: 0
> > > [ 51.989616] pkg_id: 34, bus_no: 1
> > > ......
> > > [ 52.059749] pkg_id: 58, bus_no: 0
> > > [ 52.062331] pkg_id: 58, bus_no: 1
> > > [ 52.066039] pkg_id: 60, bus_no: 0
> > > [ 52.068503] pkg_id: 60, bus_no: 1
> > > [ 52.072018] pkg_id: 62, bus_no: 0
> > > [ 52.074375] pkg_id: 62, bus_no: 1
> > >
> > > > >
> > > > > We can change commit description based on that.
> > > > >
> > > > > Thanks,
> > > > > Srinivas
> > > > >
> > >
> > > I think the changes are minor, so no more content was added to
> > > the
> > > patch.
> > > If you think it needs to be added, I am happy for you to help
> > > supplement
> > > it.
> > I just want to be clear how to reproduce this issue.
> >
> > "
> > Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-
> > bounds".
> >
> > Then you can add the kasan bug report.
> >
> > The reason for this error is physical_package_ids assigned by VMM
> > have
> > holes. This will cause value returned by
> > topology_physical_package_id()
> > to be more than topology_max_packages(). The allocation uses
> > topology_max_packages() to allocate memory. topology_max_packages()
> > returns maximum logical package IDs. Hence use
> > topology_logical_package_id() instead of
> > topology_physical_package_id().
> > "
>
> Thanks, I will make the necessary modifications in v2.
>
> >
> > Also we should add a check
> >
> > pkg_id = topology_logical_package_id(cpu);
> > if (pkg_id >= topology_max_packages())
> > return NULL;
> >
> > May be VMM has holes in logical IDs also, then atleast it will not
> > cause BUG.
>
> Great suggestion, I will add it in the new v2.
>
> Thanks,
> Srinivas
>
> >
> > Thanks,
> > Srinivas
> >
> >
> > > Thanks,
> > > Zach
> > >
> > > > > after loading the
> > > > > isst_if_common and isst_if_mbox_msr modules on the 64 core,
> > > > > the
> > > > > kasan
> > > > > report was triggered.
> > > > > After consulting the kernel manual
> > > > > (Documentation/arch/x86/topology.rst),
> > > > > I think in _isst_if_get_pci_dev, topology_physical_package_id
> > > > > should
> > > > > be
> > > > > replaced with topology_logical_package_id.
> > > > >
> > > > > kasan bug report:
> > > > > [ 19.411889]
> > > > > =============================================================
> > > > > ====
> > > > > =
> > > > > [ 19.413702] BUG: KASAN: slab-out-of-bounds in
> > > > > _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> > > > > [ 19.415634] Read of size 8 at addr ffff888829e65200 by
> > > > > task
> > > > > cpuhp/16/113
> > > > > [ 19.417368]
> > > > > [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
> > > > > E 6.9.0 #10
> > > > > [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX
> > > > > Desktop
> > > > > Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
> > > > > 07/28/2022
> > > > > [ 19.422687] Call Trace:
> > > > > [ 19.424091] <TASK>
> > > > > [ 19.425448] dump_stack_lvl+0x5d/0x80
> > > > > [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > > > [isst_if_common]
> > > > > [ 19.428694] print_report+0x19d/0x52e
> > > > > [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> > > > > [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > > > [isst_if_common]
> > > > > [ 19.433539] kasan_report+0xf0/0x170
> > > > > [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > > > [isst_if_common]
> > > > > [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400
> > > > > [isst_if_common]
> > > > > [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
> > > > > [ 19.439910] isst_if_cpu_online+0x406/0x58f
> > > > > [isst_if_common]
> > > > > [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10
> > > > > [isst_if_common]
> > > > > [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
> > > > > [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
> > > > > [ 19.446337] cpuhp_thread_fun+0x21b/0x610
> > > > > [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
> > > > > [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
> > > > > [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
> > > > > [ 19.452405] kthread+0x29c/0x350
> > > > > [ 19.453817] ? __pfx_kthread+0x10/0x10
> > > > > [ 19.455253] ret_from_fork+0x31/0x70
> > > > > [ 19.456685] ? __pfx_kthread+0x10/0x10
> > > > > [ 19.458114] ret_from_fork_asm+0x1a/0x30
> > > > > [ 19.459573] </TASK>
> > > > > [ 19.460853]
> > > > > [ 19.462055] Allocated by task 1198:
> > > > > [ 19.463410] kasan_save_stack+0x30/0x50
> > > > > [ 19.464788] kasan_save_track+0x14/0x30
> > > > > [ 19.466139] __kasan_kmalloc+0xaa/0xb0
> > > > > [ 19.467465] __kmalloc+0x1cd/0x470
> > > > > [ 19.468748] isst_if_cdev_register+0x1da/0x350
> > > > > [isst_if_common]
> > > > > [ 19.470233] isst_if_mbox_init+0x108/0xff0
> > > > > [isst_if_mbox_msr]
> > > > > [ 19.471670] do_one_initcall+0xa4/0x380
> > > > > [ 19.472903] do_init_module+0x238/0x760
> > > > > [ 19.474105] load_module+0x5239/0x6f00
> > > > > [ 19.475285] init_module_from_file+0xd1/0x130
> > > > > [ 19.476506] idempotent_init_module+0x23b/0x650
> > > > > [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> > > > > [ 19.476506] idempotent_init_module+0x23b/0x650
> > > > > [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> > > > > [ 19.478920] do_syscall_64+0x82/0x160
> > > > > [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> > > > > [ 19.481292]
> > > > > [ 19.482205] The buggy address belongs to the object at
> > > > > ffff888829e65000
> > > > > which belongs to the cache kmalloc-512 of size 512
> > > > > [ 19.484818] The buggy address is located 0 bytes to the
> > > > > right
> > > > > of
> > > > > allocated 512-byte region [ffff888829e65000,
> > > > > ffff888829e65200)
> > > > > [ 19.487447]
> > > > > [ 19.488328] The buggy address belongs to the physical
> > > > > page:
> > > > > [ 19.489569] page: refcount:1 mapcount:0
> > > > > mapping:0000000000000000
> > > > > index:0xffff888829e60c00 pfn:0x829e60
> > > > > [ 19.491140] head: order:3 entire_mapcount:0
> > > > > nr_pages_mapped:0
> > > > > pincount:0
> > > > > [ 19.492466] anon flags:
> > > > > 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
> > > > > [ 19.493914] page_type: 0xffffffff()
> > > > > [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
> > > > > 0000000000000000 0000000000000001
> > > > > [ 19.496451] raw: ffff888829e60c00 0000000080200018
> > > > > 00000001ffffffff 0000000000000000
> > > > > [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
> > > > > 0000000000000000 0000000000000001
> > > > > [ 19.499379] head: ffff888829e60c00 0000000080200018
> > > > > 00000001ffffffff 0000000000000000
> > > > > [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
> > > > > ffffea0020a79848 00000000ffffffff
> > > > > [ 19.502316] head: 0000000800000000 0000000000000000
> > > > > 00000000ffffffff 0000000000000000
> > > > > [ 19.503784] page dumped because: kasan: bad access
> > > > > detected
> > > > > [ 19.505058]
> > > > > [ 19.505970] Memory state around the buggy address:
> > > > > [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00
> > > > > 00
> > > > > 00 00
> > > > > 00 00 00 00
> > > > > [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00
> > > > > 00
> > > > > 00 00
> > > > > 00 00 00 00
> > > > > [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc
> > > > > fc
> > > > > fc fc
> > > > > fc fc fc fc
> > > > > [ 19.510014] ^
> > > > > [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc
> > > > > fc
> > > > > fc fc
> > > > > fc fc fc fc
> > > > > [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc
> > > > > fc
> > > > > fc fc
> > > > > fc fc fc fc
> > > > > [ 19.515367]
> > > > > =============================================================
> > > > > ====
> > > > > =
> > > > >
> > > > > Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device
> > > > > mapping
> > > > > with
> > > > > Sub-NUMA clustering")
> > > > > Signed-off-by: Zach Wade <zachwade.k@gmail.com>
> > > > > ---
> > > > > drivers/platform/x86/intel/speed_select_if/isst_if_common.
> > > > > c | 2
> > > > > +-
> > > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > >
> > > > > diff --git
> > > > > a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > > > b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > > > index 10e21563fa46..80654aacd5bd 100644
> > > > > ---
> > > > > a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > > > +++
> > > > > b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > > > @@ -316,7 +316,7 @@ static struct pci_dev
> > > > > *_isst_if_get_pci_dev(int
> > > > > cpu, int bus_no, int dev, int fn
> > > > > cpu >= nr_cpu_ids || cpu >=
> > > > > num_possible_cpus())
> > > > > return NULL;
> > > > >
> > > > > - pkg_id = topology_physical_package_id(cpu);
> > > > > + pkg_id = topology_logical_package_id(cpu);
> > > > >
> > > > > bus_number = isst_cpu_info[cpu].bus_info[bus_no];
> > > > > if (bus_number < 0)
> > > >
> > >
> >
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-19 16:37 ` [PATCH v2] " Zach Wade
@ 2024-09-19 18:44 ` srinivas pandruvada
2024-09-20 16:19 ` Zach Wade
0 siblings, 1 reply; 15+ messages in thread
From: srinivas pandruvada @ 2024-09-19 18:44 UTC (permalink / raw)
To: Zach Wade, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
On Fri, 2024-09-20 at 00:37 +0800, Zach Wade wrote:
> Attaching SST PCI device to VM causes
You are not attaching SST PCI device to VM. It seems some hard drives
emulates same PCI vendor/device ID.
But replacing with topology_logical_package_id() is fine.
Let's find out what are those devices.
Thanks,
Srinivas
> "BUG: KASAN: slab-out-of-bounds".
> kasan report:
> [ 19.411889]
> ==================================================================
> [ 19.413702] BUG: KASAN: slab-out-of-bounds in
> _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
> cpuhp/16/113
> [ 19.417368]
> [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
> E 6.9.0 #10
> [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop
> Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
> 07/28/2022
> [ 19.422687] Call Trace:
> [ 19.424091] <TASK>
> [ 19.425448] dump_stack_lvl+0x5d/0x80
> [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.428694] print_report+0x19d/0x52e
> [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.433539] kasan_report+0xf0/0x170
> [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
> [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
> [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
> [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
> [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
> [ 19.446337] cpuhp_thread_fun+0x21b/0x610
> [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
> [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
> [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
> [ 19.452405] kthread+0x29c/0x350
> [ 19.453817] ? __pfx_kthread+0x10/0x10
> [ 19.455253] ret_from_fork+0x31/0x70
> [ 19.456685] ? __pfx_kthread+0x10/0x10
> [ 19.458114] ret_from_fork_asm+0x1a/0x30
> [ 19.459573] </TASK>
> [ 19.460853]
> [ 19.462055] Allocated by task 1198:
> [ 19.463410] kasan_save_stack+0x30/0x50
> [ 19.464788] kasan_save_track+0x14/0x30
> [ 19.466139] __kasan_kmalloc+0xaa/0xb0
> [ 19.467465] __kmalloc+0x1cd/0x470
> [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
> [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
> [ 19.471670] do_one_initcall+0xa4/0x380
> [ 19.472903] do_init_module+0x238/0x760
> [ 19.474105] load_module+0x5239/0x6f00
> [ 19.475285] init_module_from_file+0xd1/0x130
> [ 19.476506] idempotent_init_module+0x23b/0x650
> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> [ 19.476506] idempotent_init_module+0x23b/0x650
> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> [ 19.478920] do_syscall_64+0x82/0x160
> [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 19.481292]
> [ 19.482205] The buggy address belongs to the object at
> ffff888829e65000
> which belongs to the cache kmalloc-512 of size 512
> [ 19.484818] The buggy address is located 0 bytes to the right of
> allocated 512-byte region [ffff888829e65000, ffff888829e65200)
> [ 19.487447]
> [ 19.488328] The buggy address belongs to the physical page:
> [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff888829e60c00 pfn:0x829e60
> [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
> pincount:0
> [ 19.492466] anon flags:
> 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
> [ 19.493914] page_type: 0xffffffff()
> [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
> 0000000000000000 0000000000000001
> [ 19.496451] raw: ffff888829e60c00 0000000080200018
> 00000001ffffffff 0000000000000000
> [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
> 0000000000000000 0000000000000001
> [ 19.499379] head: ffff888829e60c00 0000000080200018
> 00000001ffffffff 0000000000000000
> [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
> ffffea0020a79848 00000000ffffffff
> [ 19.502316] head: 0000000800000000 0000000000000000
> 00000000ffffffff 0000000000000000
> [ 19.503784] page dumped because: kasan: bad access detected
> [ 19.505058]
> [ 19.505970] Memory state around the buggy address:
> [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00
> [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00
> [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.510014] ^
> [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.515367]
> ==================================================================
> The reason for this error is physical_package_ids assigned by VMM
> have
> holes. This will cause value returned by
> topology_physical_package_id()
> to be more than topology_max_packages(). The allocation uses
> topology_max_packages() to allocate memory. topology_max_packages()
> returns maximum logical package IDs. Hence use
> topology_logical_package_id() instead of
> topology_physical_package_id().
>
> Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with
> Sub-NUMA clustering")
> Signed-off-by: Zach Wade <zachwade.k@gmail.com>
> ---
> drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git
> a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> index 10e21563fa46..030c33070b84 100644
> --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> @@ -316,7 +316,9 @@ static struct pci_dev *_isst_if_get_pci_dev(int
> cpu, int bus_no, int dev, int fn
> cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
> return NULL;
>
> - pkg_id = topology_physical_package_id(cpu);
> + pkg_id = topology_logical_package_id(cpu);
> + if (pkg_id >= topology_max_packages())
> + return NULL;
>
> bus_number = isst_cpu_info[cpu].bus_info[bus_no];
> if (bus_number < 0)
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-19 18:37 ` srinivas pandruvada
@ 2024-09-20 16:16 ` Zach Wade
0 siblings, 0 replies; 15+ messages in thread
From: Zach Wade @ 2024-09-20 16:16 UTC (permalink / raw)
To: srinivas pandruvada, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
On 2024/9/20 2:37, srinivas pandruvada wrote:
> On Fri, 2024-09-20 at 00:22 +0800, Zach Wade wrote:
>>
>>
>>
> Hi Wade,
>
>
> ...
> ...
>
> What is
> sudo lspci -vvv
Hi Pandruvada,
The command output is as follows:
lspci -vvv
00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host
bridge (rev 01)
Subsystem: VMware Virtual Machine Chipset
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
00:01.0 PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP
bridge (rev 01) (prog-if 00 [Normal decode])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Bus: primary=00, secondary=01, subordinate=01, sec-latency=0
I/O behind bridge: f000-0fff [disabled] [16-bit]
Memory behind bridge: fff00000-000fffff [disabled] [32-bit]
Prefetchable memory behind bridge: fff00000-000fffff [disabled]
[32-bit]
Secondary status: 66MHz+ FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR- NoISA- VGA- VGA16- MAbort- >Reset-
FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
00:07.0 ISA bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 08)
Subsystem: VMware Virtual Machine Chipset
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev
01) (prog-if 8a [ISA Compatibility mode controller, supports both
channels switched to PCI native mode, supports bus mastering])
Subsystem: VMware Virtual Machine Chipset
Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Region 0: I/O ports at 01f0 [size=8]
Region 1: I/O ports at 03f4
Region 2: I/O ports at 0170 [size=8]
Region 3: I/O ports at 0374
Region 4: I/O ports at 0850 [size=16]
Kernel driver in use: ata_piix
Kernel modules: pata_acpi, ata_generic
00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 08)
Subsystem: VMware Virtual Machine Chipset
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin ? routed to IRQ 9
Kernel modules: i2c_piix4
00:07.7 System peripheral: VMware Virtual Machine Communication
Interface (rev 10)
Subsystem: VMware Virtual Machine Communication Interface
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64 (1500ns min, 63750ns max)
Interrupt: pin A routed to IRQ 16
Region 0: I/O ports at 0800 [size=64]
Region 1: Memory at ffbc0000 (64-bit, non-prefetchable) [size=256K]
Capabilities: [40] MSI: Enable- Count=1/1 Maskable- 64bit+
Address: 0000000000000000 Data: 0000
Capabilities: [58] MSI-X: Enable+ Count=3 Masked-
Vector table: BAR=1 offset=00000000
PBA: BAR=1 offset=00010000
Kernel driver in use: vmw_vmci
Kernel modules: vmw_vmci
00:0f.0 VGA compatible controller: VMware SVGA II Adapter (prog-if 00
[VGA controller])
Subsystem: VMware SVGA II Adapter
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64, Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 16
Region 0: I/O ports at 0840 [size=16]
Region 1: Memory at f0000000 (32-bit, prefetchable) [size=128M]
Region 2: Memory at ff000000 (32-bit, non-prefetchable) [size=8M]
Expansion ROM at 000c0000 [disabled] [size=128K]
Capabilities: [40] Vendor Specific Information: Len=00 <?>
Capabilities: [44] PCI Advanced Features
AFCap: TP+ FLR+
AFCtrl: FLR-
AFStatus: TP-
Kernel driver in use: vmwgfx
Kernel modules: vmwgfx
02:00.0 Serial Attached SCSI controller: VMware PVSCSI SCSI Controller
(rev 02)
DeviceName: SCSI0
Subsystem: VMware PVSCSI SCSI Controller
Physical Slot: 32
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 17
Region 0: I/O ports at 0a30 [size=8]
Region 1: Memory at ffbb0000 (64-bit, non-prefetchable) [size=32K]
Expansion ROM at fdd00000 [disabled] [size=64K]
Capabilities: [40] Express (v2) Endpoint, IntMsgNum 0
DevCap: MaxPayload 128 bytes, PhantFunc 0, Latency L0s
<64ns, L1 <1us
ExtTag- AttnBtn- AttnInd- PwrInd- RBE- FLReset+
SlotPowerLimit 0W
DevCtl: CorrErr- NonFatalErr- FatalErr- UnsupReq-
RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop-
FLReset-
MaxPayload 128 bytes, MaxReadReq 128 bytes
DevSta: CorrErr- NonFatalErr- FatalErr- UnsupReq-
AuxPwr- TransPend-
LnkCap: Port #0, Speed 5GT/s, Width x32, ASPM L0s, Exit
Latency L0s <64ns
ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp-
LnkCtl: ASPM Disabled; RCB 64 bytes, LnkDisable- CommClk-
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 5GT/s, Width x32
TrErr- Train- SlotClk- DLActive- BWMgmt- ABWMgmt-
DevCap2: Completion Timeout: Not Supported, TimeoutDis-
NROPrPrP- LTR-
10BitTagComp- 10BitTagReq- OBFF Not Supported,
ExtFmt- EETLPPrefix-
EmergencyPowerReduction Not Supported,
EmergencyPowerReductionInit-
FRS- TPHComp- ExtTPHComp-
AtomicOpsCap: 32bit- 64bit- 128bitCAS-
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-
AtomicOpsCtl: ReqEn-
IDOReq- IDOCompl- LTR- EmergencyPowerReductionReq-
10BitTagReq- OBFF Disabled, EETLPPrefixBlk-
LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance-
SpeedDis-
Transmit Margin: Normal Operating Range,
EnterModifiedCompliance- ComplianceSOS-
Compliance Preset/De-emphasis: -6dB
de-emphasis, 0dB preshoot
LnkSta2: Current De-emphasis Level: -6dB,
EqualizationComplete- EqualizationPhase1-
EqualizationPhase2- EqualizationPhase3-
LinkEqualizationRequest-
Retimer- 2Retimers- CrosslinkRes: unsupported
Capabilities: [7c] MSI: Enable- Count=1/1 Maskable- 64bit+
Address: 0000000000000000 Data: 0000
Capabilities: [94] Power Management version 3
Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA
PME(D0+,D1-,D2-,D3hot+,D3cold+)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [9c] MSI-X: Enable+ Count=24 Masked-
Vector table: BAR=1 offset=00006000
PBA: BAR=1 offset=00007000
Capabilities: [100 v1] Device Serial Number c0-45-4f-c0-50-05-05-68
Kernel driver in use: vmw_pvscsi
Kernel modules: vmw_pvscsi
02:01.0 USB controller: VMware USB1.1 UHCI Controller (prog-if 00 [UHCI])
DeviceName: usb
Subsystem: VMware Device 1976
Physical Slot: 33
Control: I/O+ Mem- BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium
>TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Interrupt: pin A routed to IRQ 18
Region 4: I/O ports at 0a00 [size=32]
Capabilities: [40] PCI Advanced Features
AFCap: TP+ FLR+
AFCtrl: FLR-
AFStatus: TP-
Kernel driver in use: uhci_hcd
02:02.0 Ethernet controller: VMware VMXNET3 Ethernet Controller (rev 01)
DeviceName: Ethernet0
Subsystem: VMware VMXNET3 Ethernet Controller
Physical Slot: 34
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 19
Region 0: Memory at fe243000 (32-bit, non-prefetchable) [size=4K]
Region 1: Memory at fe242000 (32-bit, non-prefetchable) [size=4K]
Region 2: Memory at fe240000 (32-bit, non-prefetchable) [size=8K]
Region 3: I/O ports at 0a20 [size=16]
Expansion ROM at fdd10000 [disabled] [size=64K]
Capabilities: [40] Power Management version 3
Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=0mA
PME(D0+,D1+,D2+,D3hot+,D3cold+)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [48] Express (v2) Endpoint, IntMsgNum 0
DevCap: MaxPayload 128 bytes, PhantFunc 0, Latency L0s
<64ns, L1 <1us
ExtTag- AttnBtn- AttnInd- PwrInd- RBE- FLReset-
SlotPowerLimit 0W
DevCtl: CorrErr- NonFatalErr- FatalErr- UnsupReq-
RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop-
MaxPayload 128 bytes, MaxReadReq 128 bytes
DevSta: CorrErr- NonFatalErr- FatalErr- UnsupReq-
AuxPwr- TransPend-
LnkCap: Port #0, Speed 5GT/s, Width x32, ASPM L0s, Exit
Latency L0s <64ns
ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp-
LnkCtl: ASPM Disabled; RCB 64 bytes, LnkDisable- CommClk-
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 5GT/s, Width x32
TrErr- Train- SlotClk- DLActive- BWMgmt- ABWMgmt-
DevCap2: Completion Timeout: Not Supported, TimeoutDis-
NROPrPrP- LTR-
10BitTagComp- 10BitTagReq- OBFF Not Supported,
ExtFmt- EETLPPrefix-
EmergencyPowerReduction Not Supported,
EmergencyPowerReductionInit-
FRS- TPHComp- ExtTPHComp-
AtomicOpsCap: 32bit- 64bit- 128bitCAS-
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-
AtomicOpsCtl: ReqEn-
IDOReq- IDOCompl- LTR- EmergencyPowerReductionReq-
10BitTagReq- OBFF Disabled, EETLPPrefixBlk-
LnkSta2: Current De-emphasis Level: -6dB,
EqualizationComplete- EqualizationPhase1-
EqualizationPhase2- EqualizationPhase3-
LinkEqualizationRequest-
Retimer- 2Retimers- CrosslinkRes: unsupported
Capabilities: [84] MSI: Enable- Count=1/1 Maskable- 64bit+
Address: 0000000000000000 Data: 0000
Capabilities: [9c] MSI-X: Enable+ Count=65 Masked-
Vector table: BAR=2 offset=00000000
PBA: BAR=2 offset=00001000
Capabilities: [100 v1] Device Serial Number 00-0c-29-ff-ff-8c-20-03
Kernel driver in use: vmxnet3
Kernel modules: vmxnet3
02:03.0 USB controller: VMware USB2 EHCI Controller (prog-if 20 [EHCI])
DeviceName: ehci
Subsystem: VMware USB2 EHCI Controller
Physical Slot: 35
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64 (1500ns min, 63750ns max)
Interrupt: pin A routed to IRQ 16
Region 0: Memory at fe211000 (32-bit, non-prefetchable) [size=4K]
Capabilities: [40] PCI Advanced Features
AFCap: TP+ FLR+
AFCtrl: FLR-
AFStatus: TP-
Kernel driver in use: ehci-pci
02:04.0 SATA controller: VMware SATA AHCI controller (prog-if 01 [AHCI 1.0])
DeviceName: sata0
Subsystem: VMware SATA AHCI controller
Physical Slot: 36
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop-
ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Interrupt: pin A routed to IRQ 24
Region 5: Memory at fe210000 (32-bit, non-prefetchable) [size=4K]
Expansion ROM at fdd20000 [disabled] [size=64K]
Capabilities: [40] Power Management version 3
Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA
PME(D0-,D1-,D2-,D3hot+,D3cold-)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [48] MSI: Enable+ Count=1/1 Maskable- 64bit+
Address: 00000000fee04000 Data: 0020
Capabilities: [60] SATA HBA v1.0 InCfgSpace
Capabilities: [70] PCI Advanced Features
AFCap: TP+ FLR+
AFCtrl: FLR-
AFStatus: TP-
Kernel driver in use: ahci
> Also cat /proc/cpuinfo?
>
Since there are 32 cores, the output is quite long, so I omitted the
repeated parts to keep the email short:
cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz
stepping : 7
microcode : 0x5003302
cpu MHz : 2893.202
cache size : 22528 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb
rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable
nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid
sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c
rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp
ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f
avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl
xsaveopt xsavec xgetbv1 xsaves arat pku ospke avx512_vnni md_clear
flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs
itlb_multihit mmio_stale_data retbleed eibrs_pbrsb gds bhi
bogomips : 5786.40
clflush size : 64
cache_alignment : 64
address sizes : 45 bits physical, 48 bits virtual
power management:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz
stepping : 7
microcode : 0x5003302
cpu MHz : 2893.202
cache size : 22528 KB
physical id : 2
siblings : 1
core id : 0
cpu cores : 1
apicid : 2
initial apicid : 2
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb
rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable
nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid
sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c
rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp
ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f
avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl
xsaveopt xsavec xgetbv1 xsaves arat pku ospke avx512_vnni md_clear
flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs
itlb_multihit mmio_stale_data retbleed eibrs_pbrsb gds bhi
bogomips : 5786.40
clflush size : 64
cache_alignment : 64
address sizes : 45 bits physical, 48 bits virtual
power management:
processor : 2
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz
stepping : 7
microcode : 0x5003302
cpu MHz : 2893.202
cache size : 22528 KB
physical id : 4
siblings : 1
core id : 0
cpu cores : 1
apicid : 4
initial apicid : 4
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb
rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable
nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid
sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c
rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp
ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f
avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl
xsaveopt xsavec xgetbv1 xsaves arat pku ospke avx512_vnni md_clear
flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs
itlb_multihit mmio_stale_data retbleed eibrs_pbrsb gds bhi
bogomips : 5786.40
clflush size : 64
cache_alignment : 64
address sizes : 45 bits physical, 48 bits virtual
power management:
processor : 3
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz
stepping : 7
microcode : 0x5003302
cpu MHz : 2893.202
cache size : 22528 KB
physical id : 6
siblings : 1
core id : 0
cpu cores : 1
apicid : 6
initial apicid : 6
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb
rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable
nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid
sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c
rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp
ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f
avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl
xsaveopt xsavec xgetbv1 xsaves arat pku ospke avx512_vnni md_clear
flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs
itlb_multihit mmio_stale_data retbleed eibrs_pbrsb gds bhi
bogomips : 5786.40
clflush size : 64
cache_alignment : 64
address sizes : 45 bits physical, 48 bits virtual
power management:
......
processor : 29
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz
stepping : 7
microcode : 0x5003302
cpu MHz : 2893.202
cache size : 22528 KB
physical id : 58
siblings : 1
core id : 0
cpu cores : 1
apicid : 58
initial apicid : 58
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb
rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable
nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid
sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c
rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp
ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f
avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl
xsaveopt xsavec xgetbv1 xsaves arat pku ospke avx512_vnni md_clear
flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs
itlb_multihit mmio_stale_data retbleed eibrs_pbrsb gds bhi
bogomips : 5786.40
clflush size : 64
cache_alignment : 64
address sizes : 45 bits physical, 48 bits virtual
power management:
processor : 30
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz
stepping : 7
microcode : 0x5003302
cpu MHz : 2893.202
cache size : 22528 KB
physical id : 60
siblings : 1
core id : 0
cpu cores : 1
apicid : 60
initial apicid : 60
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb
rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable
nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid
sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c
rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp
ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f
avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl
xsaveopt xsavec xgetbv1 xsaves arat pku ospke avx512_vnni md_clear
flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs
itlb_multihit mmio_stale_data retbleed eibrs_pbrsb gds bhi
bogomips : 5786.40
clflush size : 64
cache_alignment : 64
address sizes : 45 bits physical, 48 bits virtual
power management:
processor : 31
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz
stepping : 7
microcode : 0x5003302
cpu MHz : 2893.202
cache size : 22528 KB
physical id : 62
siblings : 1
core id : 0
cpu cores : 1
apicid : 62
initial apicid : 62
fpu : yes
fpu_exception : yes
cpuid level : 22
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb
rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable
nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid
sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c
rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp
ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f
avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl
xsaveopt xsavec xgetbv1 xsaves arat pku ospke avx512_vnni md_clear
flush_l1d arch_capabilities
bugs : spectre_v1 spectre_v2 spec_store_bypass swapgs
itlb_multihit mmio_stale_data retbleed eibrs_pbrsb gds bhi
bogomips : 5786.40
clflush size : 64
cache_alignment : 64
address sizes : 45 bits physical, 48 bits virtual
power management:
> Thanks,
> Srinivas
>
>>
>>> I don't think lspci in VM will show this device.
>>> Can you send lspci -k?
>>
>> lspci -k
>> 00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX
>> Host
>> ...
>> ...
>> Kernel driver in use: ehci-pci
>> 02:04.0 SATA controller: VMware SATA AHCI controller
>> DeviceName: sata0
>> Subsystem: VMware SATA AHCI controller
>> Kernel driver in use: ahci
>>
>>>
> This is not complete list.
As requested, the full output of lspci -k is documented above.
Thanks,
Zach
>
>
>>> I want to make sure somehow your other VM PCI device is using same
>>> ID
>> ...
>> ...
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-19 18:44 ` srinivas pandruvada
@ 2024-09-20 16:19 ` Zach Wade
2024-09-20 19:37 ` srinivas pandruvada
0 siblings, 1 reply; 15+ messages in thread
From: Zach Wade @ 2024-09-20 16:19 UTC (permalink / raw)
To: srinivas pandruvada, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
On 2024/9/20 2:44, srinivas pandruvada wrote:
> On Fri, 2024-09-20 at 00:37 +0800, Zach Wade wrote:
>> Attaching SST PCI device to VM causes
> You are not attaching SST PCI device to VM. It seems some hard drives
> emulates same PCI vendor/device ID.
>
> But replacing with topology_logical_package_id() is fine.
>
> Let's find out what are those devices.
>
> Thanks,
> Srinivas
>
So should we delete this description? Do I need to modify the patch again?
Thanks,
Zach
>> "BUG: KASAN: slab-out-of-bounds".
>> kasan report:
>> [ 19.411889]
>> ==================================================================
>> [ 19.413702] BUG: KASAN: slab-out-of-bounds in
>> _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
>> cpuhp/16/113
>> [ 19.417368]
>> [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
>> E 6.9.0 #10
>> [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop
>> Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
>> 07/28/2022
>> [ 19.422687] Call Trace:
>> [ 19.424091] <TASK>
>> [ 19.425448] dump_stack_lvl+0x5d/0x80
>> [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.428694] print_report+0x19d/0x52e
>> [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
>> [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.433539] kasan_report+0xf0/0x170
>> [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>> [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
>> [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
>> [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
>> [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
>> [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
>> [ 19.446337] cpuhp_thread_fun+0x21b/0x610
>> [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
>> [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
>> [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
>> [ 19.452405] kthread+0x29c/0x350
>> [ 19.453817] ? __pfx_kthread+0x10/0x10
>> [ 19.455253] ret_from_fork+0x31/0x70
>> [ 19.456685] ? __pfx_kthread+0x10/0x10
>> [ 19.458114] ret_from_fork_asm+0x1a/0x30
>> [ 19.459573] </TASK>
>> [ 19.460853]
>> [ 19.462055] Allocated by task 1198:
>> [ 19.463410] kasan_save_stack+0x30/0x50
>> [ 19.464788] kasan_save_track+0x14/0x30
>> [ 19.466139] __kasan_kmalloc+0xaa/0xb0
>> [ 19.467465] __kmalloc+0x1cd/0x470
>> [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
>> [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
>> [ 19.471670] do_one_initcall+0xa4/0x380
>> [ 19.472903] do_init_module+0x238/0x760
>> [ 19.474105] load_module+0x5239/0x6f00
>> [ 19.475285] init_module_from_file+0xd1/0x130
>> [ 19.476506] idempotent_init_module+0x23b/0x650
>> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
>> [ 19.476506] idempotent_init_module+0x23b/0x650
>> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
>> [ 19.478920] do_syscall_64+0x82/0x160
>> [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> [ 19.481292]
>> [ 19.482205] The buggy address belongs to the object at
>> ffff888829e65000
>> which belongs to the cache kmalloc-512 of size 512
>> [ 19.484818] The buggy address is located 0 bytes to the right of
>> allocated 512-byte region [ffff888829e65000, ffff888829e65200)
>> [ 19.487447]
>> [ 19.488328] The buggy address belongs to the physical page:
>> [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000
>> index:0xffff888829e60c00 pfn:0x829e60
>> [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
>> pincount:0
>> [ 19.492466] anon flags:
>> 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
>> [ 19.493914] page_type: 0xffffffff()
>> [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
>> 0000000000000000 0000000000000001
>> [ 19.496451] raw: ffff888829e60c00 0000000080200018
>> 00000001ffffffff 0000000000000000
>> [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
>> 0000000000000000 0000000000000001
>> [ 19.499379] head: ffff888829e60c00 0000000080200018
>> 00000001ffffffff 0000000000000000
>> [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
>> ffffea0020a79848 00000000ffffffff
>> [ 19.502316] head: 0000000800000000 0000000000000000
>> 00000000ffffffff 0000000000000000
>> [ 19.503784] page dumped because: kasan: bad access detected
>> [ 19.505058]
>> [ 19.505970] Memory state around the buggy address:
>> [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00
>> 00 00 00 00
>> [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00
>> 00 00 00 00
>> [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc
>> fc fc fc fc
>> [ 19.510014] ^
>> [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc
>> fc fc fc fc
>> [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc
>> fc fc fc fc
>> [ 19.515367]
>> ==================================================================
>> The reason for this error is physical_package_ids assigned by VMM
>> have
>> holes. This will cause value returned by
>> topology_physical_package_id()
>> to be more than topology_max_packages(). The allocation uses
>> topology_max_packages() to allocate memory. topology_max_packages()
>> returns maximum logical package IDs. Hence use
>> topology_logical_package_id() instead of
>> topology_physical_package_id().
>>
>> Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with
>> Sub-NUMA clustering")
>> Signed-off-by: Zach Wade <zachwade.k@gmail.com>
>> ---
>> drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git
>> a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>> b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>> index 10e21563fa46..030c33070b84 100644
>> --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>> +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>> @@ -316,7 +316,9 @@ static struct pci_dev *_isst_if_get_pci_dev(int
>> cpu, int bus_no, int dev, int fn
>> cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
>> return NULL;
>>
>> - pkg_id = topology_physical_package_id(cpu);
>> + pkg_id = topology_logical_package_id(cpu);
>> + if (pkg_id >= topology_max_packages())
>> + return NULL;
>>
>> bus_number = isst_cpu_info[cpu].bus_info[bus_no];
>> if (bus_number < 0)
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-20 16:19 ` Zach Wade
@ 2024-09-20 19:37 ` srinivas pandruvada
2024-09-21 11:41 ` Zach Wade
0 siblings, 1 reply; 15+ messages in thread
From: srinivas pandruvada @ 2024-09-20 19:37 UTC (permalink / raw)
To: Zach Wade, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
On Sat, 2024-09-21 at 00:19 +0800, Zach Wade wrote:
>
>
> On 2024/9/20 2:44, srinivas pandruvada wrote:
> > On Fri, 2024-09-20 at 00:37 +0800, Zach Wade wrote:
> > > Attaching SST PCI device to VM causes
> > You are not attaching SST PCI device to VM. It seems some hard
> > drives
> > emulates same PCI vendor/device ID.
> >
> > But replacing with topology_logical_package_id() is fine.
> >
> > Let's find out what are those devices.
> >
> > Thanks,
> > Srinivas
> >
>
> So should we delete this description? Do I need to modify the patch
> again?
No need to remove that line. It doesn't matter how we arrive here. VMM
can emulate any PCI device.
Some suggestions below.
>
> Thanks,
> Zach
>
> > > "BUG: KASAN: slab-out-of-bounds".
> > > kasan report:
> > > [ 19.411889]
> > > =================================================================
> > > =
> > > [ 19.413702] BUG: KASAN: slab-out-of-bounds in
> > > _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> > > [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
> > > cpuhp/16/113
> > > [ 19.417368]
> > > [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
> > > E 6.9.0 #10
> > > [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX
> > > Desktop
> > > Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
> > > 07/28/2022
> > > [ 19.422687] Call Trace:
> > > [ 19.424091] <TASK>
> > > [ 19.425448] dump_stack_lvl+0x5d/0x80
> > > [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > [isst_if_common]
> > > [ 19.428694] print_report+0x19d/0x52e
> > > [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> > > [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > [isst_if_common]
> > > [ 19.433539] kasan_report+0xf0/0x170
> > > [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400
> > > [isst_if_common]
> > > [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> > > [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
> > > [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
> > > [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10
> > > [isst_if_common]
> > > [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
> > > [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
> > > [ 19.446337] cpuhp_thread_fun+0x21b/0x610
> > > [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
> > > [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
> > > [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
> > > [ 19.452405] kthread+0x29c/0x350
> > > [ 19.453817] ? __pfx_kthread+0x10/0x10
> > > [ 19.455253] ret_from_fork+0x31/0x70
> > > [ 19.456685] ? __pfx_kthread+0x10/0x10
> > > [ 19.458114] ret_from_fork_asm+0x1a/0x30
> > > [ 19.459573] </TASK>
> > > [ 19.460853]
> > > [ 19.462055] Allocated by task 1198:
> > > [ 19.463410] kasan_save_stack+0x30/0x50
> > > [ 19.464788] kasan_save_track+0x14/0x30
> > > [ 19.466139] __kasan_kmalloc+0xaa/0xb0
> > > [ 19.467465] __kmalloc+0x1cd/0x470
> > > [ 19.468748] isst_if_cdev_register+0x1da/0x350
> > > [isst_if_common]
> > > [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
> > > [ 19.471670] do_one_initcall+0xa4/0x380
> > > [ 19.472903] do_init_module+0x238/0x760
> > > [ 19.474105] load_module+0x5239/0x6f00
> > > [ 19.475285] init_module_from_file+0xd1/0x130
> > > [ 19.476506] idempotent_init_module+0x23b/0x650
> > > [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> > > [ 19.476506] idempotent_init_module+0x23b/0x650
> > > [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> > > [ 19.478920] do_syscall_64+0x82/0x160
> > > [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> > > [ 19.481292]
> > > [ 19.482205] The buggy address belongs to the object at
> > > ffff888829e65000
> > > which belongs to the cache kmalloc-512 of size 512
> > > [ 19.484818] The buggy address is located 0 bytes to the right
> > > of
> > > allocated 512-byte region [ffff888829e65000, ffff888829e65200)
> > > [ 19.487447]
> > > [ 19.488328] The buggy address belongs to the physical page:
> > > [ 19.489569] page: refcount:1 mapcount:0
> > > mapping:0000000000000000
> > > index:0xffff888829e60c00 pfn:0x829e60
> > > [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
> > > pincount:0
> > > [ 19.492466] anon flags:
> > > 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
> > > [ 19.493914] page_type: 0xffffffff()
> > > [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
> > > 0000000000000000 0000000000000001
> > > [ 19.496451] raw: ffff888829e60c00 0000000080200018
> > > 00000001ffffffff 0000000000000000
> > > [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
> > > 0000000000000000 0000000000000001
> > > [ 19.499379] head: ffff888829e60c00 0000000080200018
> > > 00000001ffffffff 0000000000000000
> > > [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
> > > ffffea0020a79848 00000000ffffffff
> > > [ 19.502316] head: 0000000800000000 0000000000000000
> > > 00000000ffffffff 0000000000000000
> > > [ 19.503784] page dumped because: kasan: bad access detected
> > > [ 19.505058]
> > > [ 19.505970] Memory state around the buggy address:
> > > [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00
> > > 00 00
> > > 00 00 00 00
> > > [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00
> > > 00 00
> > > 00 00 00 00
> > > [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc
> > > fc fc
> > > fc fc fc fc
> > > [ 19.510014] ^
> > > [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc
> > > fc fc
> > > fc fc fc fc
> > > [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc
> > > fc fc
> > > fc fc fc fc
> > > [ 19.515367]
> > > =================================================================
> > > =
A new line here
"
The reason for this error is physical_package_ids assigned by VMware
VMM
are not continuous and have gaps. This will cause value returned by
topology_physical_package_id() to be more than topology_max_packages().
Here the allocation uses topology_max_packages(). The call to
topology_max_packages() returns maximum logical package ID not physical
ID. Hence use topology_logical_package_id() instead of
topology_physical_package_id().
"
My copy paste formatting may not be correct to run with
./scripts/checkpatch.pl
> > > The reason for this error is physical_package_ids assigned by VMM
> > > have
> > > holes. This will cause value returned by
> > > topology_physical_package_id()
> > > to be more than topology_max_packages(). The allocation uses
> > > topology_max_packages() to allocate memory.
> > > topology_max_packages()
> > > returns maximum logical package IDs. Hence use
> > > topology_logical_package_id() instead of
> > > topology_physical_package_id().
> > >
> > > Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping
> > > with
> > > Sub-NUMA clustering")
> > > Signed-off-by: Zach Wade <zachwade.k@gmail.com>
What is the kernel version of your kernel?
Cc: <stable@vger.kernel.org>
Thanks,
Srinivas
> > > ---
> > > drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4
> > > +++-
> > > 1 file changed, 3 insertions(+), 1 deletion(-)
> > >
> > > diff --git
> > > a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > index 10e21563fa46..030c33070b84 100644
> > > --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> > > @@ -316,7 +316,9 @@ static struct pci_dev
> > > *_isst_if_get_pci_dev(int
> > > cpu, int bus_no, int dev, int fn
> > > cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
> > > return NULL;
> > >
> > > - pkg_id = topology_physical_package_id(cpu);
> > > + pkg_id = topology_logical_package_id(cpu);
> > > + if (pkg_id >= topology_max_packages())
> > > + return NULL;
> > >
> > > bus_number = isst_cpu_info[cpu].bus_info[bus_no];
> > > if (bus_number < 0)
> >
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-20 19:37 ` srinivas pandruvada
@ 2024-09-21 11:41 ` Zach Wade
0 siblings, 0 replies; 15+ messages in thread
From: Zach Wade @ 2024-09-21 11:41 UTC (permalink / raw)
To: srinivas pandruvada, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86
On 2024/9/21 3:37, srinivas pandruvada wrote:
> On Sat, 2024-09-21 at 00:19 +0800, Zach Wade wrote:
>>
>>
>> On 2024/9/20 2:44, srinivas pandruvada wrote:
>>> On Fri, 2024-09-20 at 00:37 +0800, Zach Wade wrote:
>>>> Attaching SST PCI device to VM causes
>>> You are not attaching SST PCI device to VM. It seems some hard
>>> drives
>>> emulates same PCI vendor/device ID.
>>>
>>> But replacing with topology_logical_package_id() is fine.
>>>
>>> Let's find out what are those devices.
>>>
>>> Thanks,
>>> Srinivas
>>>
>>
>> So should we delete this description? Do I need to modify the patch
>> again?
>
> No need to remove that line. It doesn't matter how we arrive here. VMM
> can emulate any PCI device.
>
OK, I won't change this next time I send it.
> Some suggestions below.
>
>>
>> Thanks,
>> Zach
>>
>>>> "BUG: KASAN: slab-out-of-bounds".
>>>> kasan report:
>>>> [ 19.411889]
>>>> =================================================================
>>>> =
>>>> [ 19.413702] BUG: KASAN: slab-out-of-bounds in
>>>> _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>>>> [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
>>>> cpuhp/16/113
>>>> [ 19.417368]
>>>> [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
>>>> E 6.9.0 #10
>>>> [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX
>>>> Desktop
>>>> Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
>>>> 07/28/2022
>>>> [ 19.422687] Call Trace:
>>>> [ 19.424091] <TASK>
>>>> [ 19.425448] dump_stack_lvl+0x5d/0x80
>>>> [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400
>>>> [isst_if_common]
>>>> [ 19.428694] print_report+0x19d/0x52e
>>>> [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
>>>> [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400
>>>> [isst_if_common]
>>>> [ 19.433539] kasan_report+0xf0/0x170
>>>> [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400
>>>> [isst_if_common]
>>>> [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
>>>> [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
>>>> [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
>>>> [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10
>>>> [isst_if_common]
>>>> [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
>>>> [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
>>>> [ 19.446337] cpuhp_thread_fun+0x21b/0x610
>>>> [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
>>>> [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
>>>> [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
>>>> [ 19.452405] kthread+0x29c/0x350
>>>> [ 19.453817] ? __pfx_kthread+0x10/0x10
>>>> [ 19.455253] ret_from_fork+0x31/0x70
>>>> [ 19.456685] ? __pfx_kthread+0x10/0x10
>>>> [ 19.458114] ret_from_fork_asm+0x1a/0x30
>>>> [ 19.459573] </TASK>
>>>> [ 19.460853]
>>>> [ 19.462055] Allocated by task 1198:
>>>> [ 19.463410] kasan_save_stack+0x30/0x50
>>>> [ 19.464788] kasan_save_track+0x14/0x30
>>>> [ 19.466139] __kasan_kmalloc+0xaa/0xb0
>>>> [ 19.467465] __kmalloc+0x1cd/0x470
>>>> [ 19.468748] isst_if_cdev_register+0x1da/0x350
>>>> [isst_if_common]
>>>> [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
>>>> [ 19.471670] do_one_initcall+0xa4/0x380
>>>> [ 19.472903] do_init_module+0x238/0x760
>>>> [ 19.474105] load_module+0x5239/0x6f00
>>>> [ 19.475285] init_module_from_file+0xd1/0x130
>>>> [ 19.476506] idempotent_init_module+0x23b/0x650
>>>> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
>>>> [ 19.476506] idempotent_init_module+0x23b/0x650
>>>> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
>>>> [ 19.478920] do_syscall_64+0x82/0x160
>>>> [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>>> [ 19.481292]
>>>> [ 19.482205] The buggy address belongs to the object at
>>>> ffff888829e65000
>>>> which belongs to the cache kmalloc-512 of size 512
>>>> [ 19.484818] The buggy address is located 0 bytes to the right
>>>> of
>>>> allocated 512-byte region [ffff888829e65000, ffff888829e65200)
>>>> [ 19.487447]
>>>> [ 19.488328] The buggy address belongs to the physical page:
>>>> [ 19.489569] page: refcount:1 mapcount:0
>>>> mapping:0000000000000000
>>>> index:0xffff888829e60c00 pfn:0x829e60
>>>> [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
>>>> pincount:0
>>>> [ 19.492466] anon flags:
>>>> 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
>>>> [ 19.493914] page_type: 0xffffffff()
>>>> [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
>>>> 0000000000000000 0000000000000001
>>>> [ 19.496451] raw: ffff888829e60c00 0000000080200018
>>>> 00000001ffffffff 0000000000000000
>>>> [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
>>>> 0000000000000000 0000000000000001
>>>> [ 19.499379] head: ffff888829e60c00 0000000080200018
>>>> 00000001ffffffff 0000000000000000
>>>> [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
>>>> ffffea0020a79848 00000000ffffffff
>>>> [ 19.502316] head: 0000000800000000 0000000000000000
>>>> 00000000ffffffff 0000000000000000
>>>> [ 19.503784] page dumped because: kasan: bad access detected
>>>> [ 19.505058]
>>>> [ 19.505970] Memory state around the buggy address:
>>>> [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00
>>>> 00 00
>>>> 00 00 00 00
>>>> [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00
>>>> 00 00
>>>> 00 00 00 00
>>>> [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc
>>>> fc fc
>>>> fc fc fc fc
>>>> [ 19.510014] ^
>>>> [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc
>>>> fc fc
>>>> fc fc fc fc
>>>> [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc
>>>> fc fc
>>>> fc fc fc fc
>>>> [ 19.515367]
>>>> =================================================================
>>>> =
>
> A new line here
I see.
>
>
> "
> The reason for this error is physical_package_ids assigned by VMware
> VMM
> are not continuous and have gaps. This will cause value returned by
> topology_physical_package_id() to be more than topology_max_packages().
>
> Here the allocation uses topology_max_packages(). The call to
> topology_max_packages() returns maximum logical package ID not physical
> ID. Hence use topology_logical_package_id() instead of
> topology_physical_package_id().
> "
Ok, I'll add this description in v3.
>
> My copy paste formatting may not be correct to run with
> ./scripts/checkpatch.pl
>
>>>> The reason for this error is physical_package_ids assigned by VMM
>>>> have
>>>> holes. This will cause value returned by
>>>> topology_physical_package_id()
>>>> to be more than topology_max_packages(). The allocation uses
>>>> topology_max_packages() to allocate memory.
>>>> topology_max_packages()
>>>> returns maximum logical package IDs. Hence use
>>>> topology_logical_package_id() instead of
>>>> topology_physical_package_id().
>>>>
>>>> Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping
>>>> with
>>>> Sub-NUMA clustering")
>>>> Signed-off-by: Zach Wade <zachwade.k@gmail.com>
>
> What is the kernel version of your kernel?
>
Linux kernel master branch 6.9.0.
Should I change the patch to a specific development branch?
> Cc: <stable@vger.kernel.org>
>
OK, thanks.Next time I send it I will cc stable@vger.kernel.org
Thanks,
Zach
>
> Thanks,
> Srinivas
>
>>>> ---
>>>> drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4
>>>> +++-
>>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git
>>>> a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>>>> b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>>>> index 10e21563fa46..030c33070b84 100644
>>>> --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>>>> +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
>>>> @@ -316,7 +316,9 @@ static struct pci_dev
>>>> *_isst_if_get_pci_dev(int
>>>> cpu, int bus_no, int dev, int fn
>>>> cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
>>>> return NULL;
>>>>
>>>> - pkg_id = topology_physical_package_id(cpu);
>>>> + pkg_id = topology_logical_package_id(cpu);
>>>> + if (pkg_id >= topology_max_packages())
>>>> + return NULL;
>>>>
>>>> bus_number = isst_cpu_info[cpu].bus_info[bus_no];
>>>> if (bus_number < 0)
>>>
>>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v3] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-18 17:41 ` srinivas pandruvada
2024-09-19 16:22 ` Zach Wade
2024-09-19 16:37 ` [PATCH v2] " Zach Wade
@ 2024-09-23 14:45 ` Zach Wade
2024-09-23 17:51 ` srinivas pandruvada
2024-10-05 12:53 ` Hans de Goede
2 siblings, 2 replies; 15+ messages in thread
From: Zach Wade @ 2024-09-23 14:45 UTC (permalink / raw)
To: srinivas.pandruvada, hdegoede, ilpo.jarvinen
Cc: platform-driver-x86, stable, Zach Wade
Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
kasan report:
[ 19.411889] ==================================================================
[ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
[ 19.417368]
[ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10
[ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
[ 19.422687] Call Trace:
[ 19.424091] <TASK>
[ 19.425448] dump_stack_lvl+0x5d/0x80
[ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.428694] print_report+0x19d/0x52e
[ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.433539] kasan_report+0xf0/0x170
[ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
[ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
[ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
[ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
[ 19.444797] cpuhp_invoke_callback+0x221/0xec0
[ 19.446337] cpuhp_thread_fun+0x21b/0x610
[ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
[ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 19.452405] kthread+0x29c/0x350
[ 19.453817] ? __pfx_kthread+0x10/0x10
[ 19.455253] ret_from_fork+0x31/0x70
[ 19.456685] ? __pfx_kthread+0x10/0x10
[ 19.458114] ret_from_fork_asm+0x1a/0x30
[ 19.459573] </TASK>
[ 19.460853]
[ 19.462055] Allocated by task 1198:
[ 19.463410] kasan_save_stack+0x30/0x50
[ 19.464788] kasan_save_track+0x14/0x30
[ 19.466139] __kasan_kmalloc+0xaa/0xb0
[ 19.467465] __kmalloc+0x1cd/0x470
[ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
[ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
[ 19.471670] do_one_initcall+0xa4/0x380
[ 19.472903] do_init_module+0x238/0x760
[ 19.474105] load_module+0x5239/0x6f00
[ 19.475285] init_module_from_file+0xd1/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.478920] do_syscall_64+0x82/0x160
[ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 19.481292]
[ 19.482205] The buggy address belongs to the object at ffff888829e65000
which belongs to the cache kmalloc-512 of size 512
[ 19.484818] The buggy address is located 0 bytes to the right of
allocated 512-byte region [ffff888829e65000, ffff888829e65200)
[ 19.487447]
[ 19.488328] The buggy address belongs to the physical page:
[ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60
[ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
[ 19.493914] page_type: 0xffffffff()
[ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff
[ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 19.503784] page dumped because: kasan: bad access detected
[ 19.505058]
[ 19.505970] Memory state around the buggy address:
[ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.510014] ^
[ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.515367] ==================================================================
The reason for this error is physical_package_ids assigned by VMware VMM
are not continuous and have gaps. This will cause value returned by
topology_physical_package_id() to be more than topology_max_packages().
Here the allocation uses topology_max_packages(). The call to
topology_max_packages() returns maximum logical package ID not physical
ID. Hence use topology_logical_package_id() instead of
topology_physical_package_id().
Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering")
Signed-off-by: Zach Wade <zachwade.k@gmail.com>
---
drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
index 10e21563fa46..030c33070b84 100644
--- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
@@ -316,7 +316,9 @@ static struct pci_dev *_isst_if_get_pci_dev(int cpu, int bus_no, int dev, int fn
cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
return NULL;
- pkg_id = topology_physical_package_id(cpu);
+ pkg_id = topology_logical_package_id(cpu);
+ if (pkg_id >= topology_max_packages())
+ return NULL;
bus_number = isst_cpu_info[cpu].bus_info[bus_no];
if (bus_number < 0)
--
2.46.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v3] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-23 14:45 ` [PATCH v3] " Zach Wade
@ 2024-09-23 17:51 ` srinivas pandruvada
2024-10-05 12:53 ` Hans de Goede
1 sibling, 0 replies; 15+ messages in thread
From: srinivas pandruvada @ 2024-09-23 17:51 UTC (permalink / raw)
To: Zach Wade, hdegoede, ilpo.jarvinen; +Cc: platform-driver-x86, stable
On Mon, 2024-09-23 at 22:45 +0800, Zach Wade wrote:
> Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-
> bounds".
> kasan report:
> [ 19.411889]
> ==================================================================
> [ 19.413702] BUG: KASAN: slab-out-of-bounds in
> _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.415634] Read of size 8 at addr ffff888829e65200 by task
> cpuhp/16/113
> [ 19.417368]
> [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G
> E 6.9.0 #10
> [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop
> Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713
> 07/28/2022
> [ 19.422687] Call Trace:
> [ 19.424091] <TASK>
> [ 19.425448] dump_stack_lvl+0x5d/0x80
> [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.428694] print_report+0x19d/0x52e
> [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.433539] kasan_report+0xf0/0x170
> [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
> [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
> [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
> [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
> [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
> [ 19.446337] cpuhp_thread_fun+0x21b/0x610
> [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
> [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
> [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
> [ 19.452405] kthread+0x29c/0x350
> [ 19.453817] ? __pfx_kthread+0x10/0x10
> [ 19.455253] ret_from_fork+0x31/0x70
> [ 19.456685] ? __pfx_kthread+0x10/0x10
> [ 19.458114] ret_from_fork_asm+0x1a/0x30
> [ 19.459573] </TASK>
> [ 19.460853]
> [ 19.462055] Allocated by task 1198:
> [ 19.463410] kasan_save_stack+0x30/0x50
> [ 19.464788] kasan_save_track+0x14/0x30
> [ 19.466139] __kasan_kmalloc+0xaa/0xb0
> [ 19.467465] __kmalloc+0x1cd/0x470
> [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
> [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
> [ 19.471670] do_one_initcall+0xa4/0x380
> [ 19.472903] do_init_module+0x238/0x760
> [ 19.474105] load_module+0x5239/0x6f00
> [ 19.475285] init_module_from_file+0xd1/0x130
> [ 19.476506] idempotent_init_module+0x23b/0x650
> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> [ 19.476506] idempotent_init_module+0x23b/0x650
> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> [ 19.478920] do_syscall_64+0x82/0x160
> [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 19.481292]
> [ 19.482205] The buggy address belongs to the object at
> ffff888829e65000
> which belongs to the cache kmalloc-512 of size 512
> [ 19.484818] The buggy address is located 0 bytes to the right of
> allocated 512-byte region [ffff888829e65000, ffff888829e65200)
> [ 19.487447]
> [ 19.488328] The buggy address belongs to the physical page:
> [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000
> index:0xffff888829e60c00 pfn:0x829e60
> [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0
> pincount:0
> [ 19.492466] anon flags:
> 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
> [ 19.493914] page_type: 0xffffffff()
> [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80
> 0000000000000000 0000000000000001
> [ 19.496451] raw: ffff888829e60c00 0000000080200018
> 00000001ffffffff 0000000000000000
> [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80
> 0000000000000000 0000000000000001
> [ 19.499379] head: ffff888829e60c00 0000000080200018
> 00000001ffffffff 0000000000000000
> [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801
> ffffea0020a79848 00000000ffffffff
> [ 19.502316] head: 0000000800000000 0000000000000000
> 00000000ffffffff 0000000000000000
> [ 19.503784] page dumped because: kasan: bad access detected
> [ 19.505058]
> [ 19.505970] Memory state around the buggy address:
> [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00
> [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00
> [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.510014] ^
> [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 19.515367]
> ==================================================================
>
> The reason for this error is physical_package_ids assigned by VMware
> VMM
> are not continuous and have gaps. This will cause value returned by
> topology_physical_package_id() to be more than
> topology_max_packages().
>
> Here the allocation uses topology_max_packages(). The call to
> topology_max_packages() returns maximum logical package ID not
> physical
> ID. Hence use topology_logical_package_id() instead of
> topology_physical_package_id().
>
> Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with
> Sub-NUMA clustering")
> Signed-off-by: Zach Wade <zachwade.k@gmail.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
We can add
Cc: stable@vger.kernel.org
But issue was always there if someone attaches SST device to VM with
discontinuous physical package IDs even though SST is not supported in
VM environment.
Here some external devices are getting attached to VM.
Thanks,
Srinivas
> ---
> drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git
> a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> index 10e21563fa46..030c33070b84 100644
> --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> @@ -316,7 +316,9 @@ static struct pci_dev *_isst_if_get_pci_dev(int
> cpu, int bus_no, int dev, int fn
> cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
> return NULL;
>
> - pkg_id = topology_physical_package_id(cpu);
> + pkg_id = topology_logical_package_id(cpu);
> + if (pkg_id >= topology_max_packages())
> + return NULL;
>
> bus_number = isst_cpu_info[cpu].bus_info[bus_no];
> if (bus_number < 0)
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v3] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-09-23 14:45 ` [PATCH v3] " Zach Wade
2024-09-23 17:51 ` srinivas pandruvada
@ 2024-10-05 12:53 ` Hans de Goede
1 sibling, 0 replies; 15+ messages in thread
From: Hans de Goede @ 2024-10-05 12:53 UTC (permalink / raw)
To: Zach Wade, srinivas.pandruvada, ilpo.jarvinen; +Cc: platform-driver-x86, stable
Hi,
On 23-Sep-24 4:45 PM, Zach Wade wrote:
> Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
> kasan report:
> [ 19.411889] ==================================================================
> [ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
> [ 19.417368]
> [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10
> [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
> [ 19.422687] Call Trace:
> [ 19.424091] <TASK>
> [ 19.425448] dump_stack_lvl+0x5d/0x80
> [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.428694] print_report+0x19d/0x52e
> [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.433539] kasan_report+0xf0/0x170
> [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
> [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
> [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
> [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
> [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
> [ 19.444797] cpuhp_invoke_callback+0x221/0xec0
> [ 19.446337] cpuhp_thread_fun+0x21b/0x610
> [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
> [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
> [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
> [ 19.452405] kthread+0x29c/0x350
> [ 19.453817] ? __pfx_kthread+0x10/0x10
> [ 19.455253] ret_from_fork+0x31/0x70
> [ 19.456685] ? __pfx_kthread+0x10/0x10
> [ 19.458114] ret_from_fork_asm+0x1a/0x30
> [ 19.459573] </TASK>
> [ 19.460853]
> [ 19.462055] Allocated by task 1198:
> [ 19.463410] kasan_save_stack+0x30/0x50
> [ 19.464788] kasan_save_track+0x14/0x30
> [ 19.466139] __kasan_kmalloc+0xaa/0xb0
> [ 19.467465] __kmalloc+0x1cd/0x470
> [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
> [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
> [ 19.471670] do_one_initcall+0xa4/0x380
> [ 19.472903] do_init_module+0x238/0x760
> [ 19.474105] load_module+0x5239/0x6f00
> [ 19.475285] init_module_from_file+0xd1/0x130
> [ 19.476506] idempotent_init_module+0x23b/0x650
> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> [ 19.476506] idempotent_init_module+0x23b/0x650
> [ 19.477725] __x64_sys_finit_module+0xbe/0x130
> [ 19.478920] do_syscall_64+0x82/0x160
> [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 19.481292]
> [ 19.482205] The buggy address belongs to the object at ffff888829e65000
> which belongs to the cache kmalloc-512 of size 512
> [ 19.484818] The buggy address is located 0 bytes to the right of
> allocated 512-byte region [ffff888829e65000, ffff888829e65200)
> [ 19.487447]
> [ 19.488328] The buggy address belongs to the physical page:
> [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60
> [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> [ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
> [ 19.493914] page_type: 0xffffffff()
> [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
> [ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
> [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
> [ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
> [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff
> [ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
> [ 19.503784] page dumped because: kasan: bad access detected
> [ 19.505058]
> [ 19.505970] Memory state around the buggy address:
> [ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 19.510014] ^
> [ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 19.515367] ==================================================================
>
> The reason for this error is physical_package_ids assigned by VMware VMM
> are not continuous and have gaps. This will cause value returned by
> topology_physical_package_id() to be more than topology_max_packages().
>
> Here the allocation uses topology_max_packages(). The call to
> topology_max_packages() returns maximum logical package ID not physical
> ID. Hence use topology_logical_package_id() instead of
> topology_physical_package_id().
>
> Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering")
> Signed-off-by: Zach Wade <zachwade.k@gmail.com>
Thank you for your patch/series, I've applied this patch
(series) to my review-hans branch:
https://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86.git/log/?h=review-hans
Note it will show up in the pdx86 review-hans branch once I've
pushed my local branch there, which might take a while.
I will include this patch in my next fixes pull-req to Linus
for the current kernel development cycle.
Regards,
Hans
> ---
> drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> index 10e21563fa46..030c33070b84 100644
> --- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> +++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
> @@ -316,7 +316,9 @@ static struct pci_dev *_isst_if_get_pci_dev(int cpu, int bus_no, int dev, int fn
> cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
> return NULL;
>
> - pkg_id = topology_physical_package_id(cpu);
> + pkg_id = topology_logical_package_id(cpu);
> + if (pkg_id >= topology_max_packages())
> + return NULL;
>
> bus_number = isst_cpu_info[cpu].bus_info[bus_no];
> if (bus_number < 0)
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2024-10-05 12:53 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-17 18:03 [PATCH] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Zach Wade
2024-09-18 13:48 ` srinivas pandruvada
2024-09-18 16:37 ` Zach Wade
2024-09-18 17:41 ` srinivas pandruvada
2024-09-19 16:22 ` Zach Wade
2024-09-19 18:37 ` srinivas pandruvada
2024-09-20 16:16 ` Zach Wade
2024-09-19 16:37 ` [PATCH v2] " Zach Wade
2024-09-19 18:44 ` srinivas pandruvada
2024-09-20 16:19 ` Zach Wade
2024-09-20 19:37 ` srinivas pandruvada
2024-09-21 11:41 ` Zach Wade
2024-09-23 14:45 ` [PATCH v3] " Zach Wade
2024-09-23 17:51 ` srinivas pandruvada
2024-10-05 12:53 ` Hans de Goede
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.