From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755198AbcFQJZ2 (ORCPT ); Fri, 17 Jun 2016 05:25:28 -0400 Received: from mga09.intel.com ([134.134.136.24]:39018 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751711AbcFQJZX (ORCPT ); Fri, 17 Jun 2016 05:25:23 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.26,482,1459839600"; d="scan'208";a="977761229" Message-ID: <1466155518.9422.41.camel@intel.com> Subject: Re: [lkp] [thermal] 24bc2fa031: BUG: KASAN: slab-out-of-bounds in thermal_zone_device_register+0x749/0x10a0 at addr ffff880000134140 From: Zhang Rui To: kernel test robot , Eduardo Valentin Cc: LKML , Stephen Rothwell , lkp@01.org Date: Fri, 17 Jun 2016 17:25:18 +0800 In-Reply-To: <20160616012737.GA25904@yexl-desktop> References: <20160616012737.GA25904@yexl-desktop> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.5.2-0ubuntu3 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 四, 2016-06-16 at 09:27 +0800, kernel test robot wrote: > FYI, we noticed the following commit: > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git > master > commit 24bc2fa031f094c05c017a862732924cb46ad2c1 ("thermal: core: move > trips attributes to tz->device.groups") > this should be fixed in the latest thermal -next branch, by the following refreshed patch, thanks, rui >>From e1e917e790b70b88bd418545a29b1eefa01a5566 Mon Sep 17 00:00:00 2001 From: Eduardo Valentin Date: Mon, 30 May 2016 23:18:21 -0700 Subject: [PATCH] thermal: core: move trips attributes to tz->device.groups Finally, move the last thermal zone sysfs attributes to tz->device.groups: trips attributes. This requires adding a attribute_group to thermal_zone_device, creating it dynamically, and then setting all trips attributes in it. The trips attribute is then added to the tz->device.groups. As the removal of all attributes are handled by device core, the device remove calls are not needed anymore. Cc: Zhang Rui Cc: linux-pm@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Eduardo Valentin Signed-off-by: Zhang Rui ---  drivers/thermal/thermal_core.c | 78 ++++++++++++++++++++++--------------------  include/linux/thermal.h        |  2 ++  2 files changed, 42 insertions(+), 38 deletions(-) diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 657ba02..9926c89 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -1188,8 +1188,9 @@ static const struct attribute_group *thermal_zone_attribute_groups[] = {   */  static int create_trip_attrs(struct thermal_zone_device *tz, int mask)  { - int indx;   int size = sizeof(struct thermal_attr) * tz->trips; + struct attribute **attrs; + int indx;     tz->trip_type_attrs = kzalloc(size, GFP_KERNEL);   if (!tz->trip_type_attrs) @@ -1210,6 +1211,15 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)   }   }   + attrs = kzalloc(sizeof(*attrs) * tz->trips * 3 + 1, GFP_KERNEL); + if (!attrs) { + kfree(tz->trip_type_attrs); + kfree(tz->trip_temp_attrs); + if (tz->ops->get_trip_hyst) + kfree(tz->trip_hyst_attrs); + return -ENOMEM; + } +   for (indx = 0; indx < tz->trips; indx++) {   /* create trip type attribute */   snprintf(tz->trip_type_attrs[indx].name, THERMAL_NAME_LENGTH, @@ -1220,9 +1230,7 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)   tz->trip_type_attrs[indx].name;   tz->trip_type_attrs[indx].attr.attr.mode = S_IRUGO;   tz->trip_type_attrs[indx].attr.show = trip_point_type_show; - - device_create_file(&tz->device, -    &tz->trip_type_attrs[indx].attr); + attrs[indx] = &tz->trip_type_attrs[indx].attr.attr;     /* create trip temp attribute */   snprintf(tz->trip_temp_attrs[indx].name, THERMAL_NAME_LENGTH, @@ -1239,9 +1247,7 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)   tz->trip_temp_attrs[indx].attr.store =   trip_point_temp_store;   } - - device_create_file(&tz->device, -    &tz->trip_temp_attrs[indx].attr); + attrs[indx + tz->trips] = &tz->trip_temp_attrs[indx].attr.attr;     /* create Optional trip hyst attribute */   if (!tz->ops->get_trip_hyst) @@ -1259,45 +1265,39 @@ static int create_trip_attrs(struct thermal_zone_device *tz, int mask)   tz->trip_hyst_attrs[indx].attr.store =   trip_point_hyst_store;   } - - device_create_file(&tz->device, -    &tz->trip_hyst_attrs[indx].attr); + attrs[indx + tz->trips * 2] = + &tz->trip_hyst_attrs[indx].attr.attr;   } - return 0; -} + attrs[tz->trips * 3] = NULL;   -static void remove_trip_attrs(struct thermal_zone_device *tz) -{ - int indx; + tz->trips_attribute_group.attrs = attrs;   - for (indx = 0; indx < tz->trips; indx++) { - device_remove_file(&tz->device, -    &tz->trip_type_attrs[indx].attr); - device_remove_file(&tz->device, -    &tz->trip_temp_attrs[indx].attr); - if (tz->ops->get_trip_hyst) - device_remove_file(&tz->device, -    &tz->trip_hyst_attrs[indx].attr); - } - kfree(tz->trip_type_attrs); - kfree(tz->trip_temp_attrs); - kfree(tz->trip_hyst_attrs); + return 0;  }   -static int thermal_zone_create_device_groups(struct thermal_zone_device *tz) +static int thermal_zone_create_device_groups(struct thermal_zone_device *tz, +      int mask)  {   const struct attribute_group **groups; - int i, size; + int i, size, result;   - size = ARRAY_SIZE(thermal_zone_attribute_groups) + 1; + /* we need one extra for trips and the NULL to terminate the array */ + size = ARRAY_SIZE(thermal_zone_attribute_groups) + 2;   /* This also takes care of API requirement to be NULL terminated */   groups = kcalloc(size, sizeof(*groups), GFP_KERNEL);   if (!groups)   return -ENOMEM;   - for (i = 0; i < size - 1; i++) + for (i = 0; i < size - 2; i++)   groups[i] = thermal_zone_attribute_groups[i];   + if (tz->trips) { + result = create_trip_attrs(tz, mask); + if (result) + return result; + groups[size - 2] = &tz->trips_attribute_group; + } +   tz->device.groups = groups;     return 0; @@ -1934,8 +1934,12 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,   tz->passive_delay = passive_delay;   tz->polling_delay = polling_delay;   + /* sys I/F */   /* Add nodes that are always present via .groups */ - thermal_zone_create_device_groups(tz); + result = thermal_zone_create_device_groups(tz, mask); + if (result) + goto unregister; +   /* A new thermal zone needs to be updated anyway. */   atomic_set(&tz->need_update, 1);   @@ -1947,11 +1951,6 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,   return ERR_PTR(result);   }   - /* sys I/F */ - result = create_trip_attrs(tz, mask); - if (result) - goto unregister; -   for (count = 0; count < trips; count++) {   if (tz->ops->get_trip_type(tz, count, &trip_type))   set_bit(count, &tz->trips_disabled); @@ -2056,7 +2055,10 @@ void thermal_zone_device_unregister(struct thermal_zone_device *tz)     thermal_zone_device_set_polling(tz, 0);   - remove_trip_attrs(tz); + kfree(tz->trip_type_attrs); + kfree(tz->trip_temp_attrs); + kfree(tz->trip_hyst_attrs); + kfree(tz->trips_attribute_group.attrs);   thermal_set_governor(tz, NULL);     thermal_remove_hwmon_sysfs(tz); diff --git a/include/linux/thermal.h b/include/linux/thermal.h index ee517be..580809c 100644 --- a/include/linux/thermal.h +++ b/include/linux/thermal.h @@ -28,6 +28,7 @@  #include  #include  #include +#include  #include  #include   @@ -187,6 +188,7 @@ struct thermal_zone_device {   int id;   char type[THERMAL_NAME_LENGTH];   struct device device; + struct attribute_group trips_attribute_group;   struct thermal_attr *trip_temp_attrs;   struct thermal_attr *trip_type_attrs;   struct thermal_attr *trip_hyst_attrs; --  2.7.4 > > on test machine: vm-lkp-wsx03-quantal-x86_64: 2 threads qemu-system- > x86_64 -enable-kvm -cpu Haswell,+smep,+smap with 360M memory > > caused below changes: > > > +------------------------------------------------------------------ > ----+------------+------------+ > > > >                                                                     > >   | 79f34853ba | 24bc2fa031 | > +------------------------------------------------------------------ > ----+------------+------------+ > > > > boot_successes                                                      > >   | 2          | 0          | > > boot_failures                                                       > >   | 6          | 8          | > > IP-Config:Auto- > > configuration_of_network_failed                       | > > 6          | 4          | > > BUG:KASAN:slab-out-of- > > bounds_in_thermal_zone_device_register_at_addr | 0          | > > 8          | > > BUG:KASAN:slab-out-of- > > bounds_in_internal_create_group_at_addr        | 0          | > > 8          | > > backtrace:power_supply_register                                     > >   | 0          | 8          | > > backtrace:test_power_init                                           > >   | 0          | 8          | > > backtrace:kernel_init_freeable                                      > >   | 0          | 8          | > +------------------------------------------------------------------ > ----+------------+------------+ > > > > [    7.103767] __power_supply_register: Expected proper parent device > for 'test_ac' > [    7.105699] __power_supply_register: Expected proper parent device > for 'test_battery' > [    7.108318] > ================================================================== > [    7.109325] BUG: KASAN: slab-out-of-bounds in > thermal_zone_device_register+0x749/0x10a0 at addr ffff880000134140 > [    7.110709] Write of size 8 by task swapper/1 > [    7.111312] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-rc3- > 00014-g24bc2fa0 #1 > [    7.112309] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS Debian-1.8.2-1 04/01/2014 > [    7.113506]  ffff880000134160 ffff880010897b58 ffffffff817356d9 > ffff880010897bd8 > [    7.114588]  ffffffff811ebffc 0000000000000000 0000000000000000 > 0000000000000297 > [    7.115652]  ffffffff811eadf5 ffff88000013415f 1ffff1000002682c > ffff880010897bd8 > [    7.116720] Call Trace: > [    7.117080]  [] dump_stack+0x19/0x20 > [    7.117777]  [] kasan_report_error+0x1ec/0x5a0 > [    7.118598]  [] ? > kasan_unpoison_shadow+0x35/0x50 > [    7.119454]  [] ? kasan_kmalloc+0xd9/0x100 > [    7.120239]  [] kasan_report+0x33/0x40 > [    7.120967]  [] ? > thermal_zone_device_register+0x749/0x10a0 > [    7.121949]  [] __asan_store8+0x61/0x70 > [    7.122699]  [] > thermal_zone_device_register+0x749/0x10a0 > [    7.123646]  [] ? > thermal_notify_framework+0x10/0x10 > [    7.124545]  [] ? dev_warn+0xe0/0xe0 > [    7.125259]  [] ? _raw_spin_unlock_irq+0x9/0x20 > [    7.126104]  [] ? > device_wakeup_enable+0xbc/0x110 > [    7.126956]  [] > __power_supply_register+0x5c9/0x700 > [    7.127840]  [] power_supply_register+0xe/0x10 > [    7.128663]  [] test_power_init+0x35/0xeb > [    7.129433]  [] ? > wm8350_power_driver_init+0x14/0x14 > [    7.130328]  [] do_one_initcall+0xef/0x1a1 > [    7.131111]  [] ? repair_env_string+0x2f/0x73 > [    7.131912]  [] ? start_kernel+0x447/0x447 > [    7.132689]  [] ? parameq+0xa0/0xa0 > [    7.133385]  [] ? set_debug_rodata+0x12/0x12 > [    7.134192]  [] kernel_init_freeable+0x197/0x228 > [    7.135042]  [] kernel_init+0xe/0x110 > [    7.135751]  [] ret_from_fork+0x1f/0x40 > [    7.136488]  [] ? rest_init+0x90/0x90 > [    7.137207] Object at ffff880000134140, in cache kmalloc-32 > [    7.137952] Object allocated with size 1 bytes. > [    7.138572] Allocation: > [    7.138909] PID = 1 > [    7.139216]  [] save_stack_trace+0x25/0x40 > [    7.139993]  [] save_stack+0x46/0xd0 > [    7.140714]  [] kasan_kmalloc+0xd9/0x100 > [    7.141479]  [] __kmalloc+0xe6/0x1d0 > [    7.142201]  [] > thermal_zone_device_register+0x3ac/0x10a0 > [    7.143162]  [] > __power_supply_register+0x5c9/0x700 > [    7.144076]  [] power_supply_register+0xe/0x10 > [    7.144913]  [] test_power_init+0x35/0xeb > [    7.145698]  [] do_one_initcall+0xef/0x1a1 > [    7.146487]  [] kernel_init_freeable+0x197/0x228 > [    7.147359]  [] kernel_init+0xe/0x110 > [    7.148105]  [] ret_from_fork+0x1f/0x40 > [    7.148860] Memory state around the buggy address: > [    7.149548]  ffff880000134000: 00 fc fc fc fc fc fc fc 00 03 fc fc > fc fc fc fc > [    7.150578]  ffff880000134080: 06 fc fc fc fc fc fc fc 03 fc fc fc > fc fc fc fc > > > FYI, raw QEMU command line is: > > qemu-system-x86_64 -enable-kvm -cpu Haswell,+smep,+smap -kernel > /pkg/linux/x86_64-randconfig-s1-06151451/gcc- > 6/24bc2fa031f094c05c017a862732924cb46ad2c1/vmlinuz-4.7.0-rc3-00014- > g24bc2fa0 -append 'root=/dev/ram0 user=lkp job=/lkp/scheduled/vm-lkp- > wsx03-quantal-x86_64-8/bisect_boot-1-quantal-core-x86_64.cgz-x86_64- > randconfig-s1-06151451-24bc2fa031f094c05c017a862732924cb46ad2c1- > 20160615-110339-ip9qk6-0.yaml~ ARCH=x86_64 kconfig=x86_64-randconfig- > s1-06151451 branch=linux-devel/devel-spot-201606151338 > commit=24bc2fa031f094c05c017a862732924cb46ad2c1 > BOOT_IMAGE=/pkg/linux/x86_64-randconfig-s1-06151451/gcc- > 6/24bc2fa031f094c05c017a862732924cb46ad2c1/vmlinuz-4.7.0-rc3-00014- > g24bc2fa0 max_uptime=600 RESULT_ROOT=/result/boot/1/vm-lkp-wsx03- > quantal-x86_64/quantal-core-x86_64.cgz/x86_64-randconfig-s1- > 06151451/gcc-6/24bc2fa031f094c05c017a862732924cb46ad2c1/0 > LKP_SERVER=inn earlyprintk=ttyS0,115200 systemd.log_level=err debug > apic=debug sysrq_always_enabled rcupdate.rcu_cpu_stall_timeout=100 > panic=-1 softlockup_panic=1 nmi_watchdog=panic oops=panic > load_ramdisk=2 prompt_ramdisk=0 console=ttyS0,115200 console=tty0 > vga=normal rw ip=::::vm-lkp-wsx03-quantal-x86_64-8::dhcp > drbd.minor_count=8'  -initrd /fs/sdc1/initrd-vm-lkp-wsx03-quantal- > x86_64-8 -m 360 -smp 2 -device e1000,netdev=net0 -netdev user,id=net0 > -boot order=nc -no-reboot -watchdog i6300esb -rtc base=localtime > -pidfile /dev/shm/kboot/pid-vm-lkp-wsx03-quantal-x86_64-8 -serial > file:/dev/shm/kboot/serial-vm-lkp-wsx03-quantal-x86_64-8 -daemonize > -display none -monitor null  > > > > > > Thanks, > Xiaolong