drivers/of: crash on boot

From: Sasha Levin
Date: Wed May 18 2016 - 11:34:18 EST


Hi Rhyland,

I'm seeing a crash on boot that seems to have been caused by
"drivers/of: Fix depth when unflattening devicetree":

[ 61.145229] ==================================================================

[ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c

[ 61.150490] Read of size 4 by task swapper/0/1

[ 61.151892] page:ffffea00016cc1c0 count:0 mapcount:0 mapping: (null) index:0x0

[ 61.154313] flags: 0x1fffff80000000()

[ 61.155460] page dumped because: kasan: bad access detected

[ 61.157174] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090

[ 61.160149] 1ffff1000b660e83 000000008a2fe4e6 ffff88005b3074a0 ffffffffa3049c42

[ 61.162473] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660

[ 61.164827] ffffffffa3049ad0 ffff88005b307480 ffffffffa16ecb83 ffff88003f501ebc

[ 61.167133] Call Trace:

[ 61.167904] dump_stack (lib/dump_stack.c:53)
[ 61.169541] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.171470] ? __dump_page (mm/debug.c:62)
[ 61.173221] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277)
[ 61.175067] ? fdt_next_node (lib/../scripts/dtc/libfdt/fdt.c:163)
[ 61.176905] ? unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.178852] __asan_report_load4_noabort (mm/kasan/report.c:318)
[ 61.180850] ? unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.182766] unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.184697] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.186439] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.188473] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.190344] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.192168] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.194178] ? get_from_free_list (lib/idr.c:79)
[ 61.196069] ? ida_get_new_above (lib/idr.c:1002)
[ 61.197884] ? idr_get_empty_slot (lib/idr.c:933)
[ 61.199802] ? split_free_page (mm/page_alloc.c:2901)
[ 61.201598] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.203346] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.205328] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.207386] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.209281] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.211155] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.213015] ? of_fdt_unflatten_tree (drivers/of/fdt.c:513)
[ 61.214929] __unflatten_device_tree (drivers/of/fdt.c:488)
[ 61.216901] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.218841] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.220556] ? initcall_blacklisted (init/main.c:725)
[ 61.222494] ? try_to_run_init_process (init/main.c:708)
[ 61.224682] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.227059] ? kobject_add (lib/kobject.c:396)
[ 61.229113] ? kobject_add_internal (lib/kobject.c:396)
[ 61.231455] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.233865] do_one_initcall (init/main.c:770)
[ 61.236005] ? initcall_blacklisted (init/main.c:759)
[ 61.238354] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.240504] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.242798] ? start_kernel (init/main.c:978)
[ 61.244919] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.247174] kernel_init (init/main.c:936)
[ 61.249162] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.251170] ? rest_init (init/main.c:931)
[ 61.253104] Memory state around the buggy address:

[ 61.254888] ffff88005b307600: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1

[ 61.257551] ffff88005b307680: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2

[ 61.260255] >ffff88005b307700: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2

[ 61.262911] ^

[ 61.265529] ffff88005b307780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 61.268218] ffff88005b307800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 61.270874] ==================================================================

[ 61.273558] Disabling lock debugging due to kernel taint

[ 61.275648] ==================================================================

[ 61.278303] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x1236/0x1290 at addr ffff88005b307898

[ 61.281794] Read of size 8 by task swapper/0/1

[ 61.283483] page:ffffea00016cc1c0 count:0 mapcount:0 mapping: (null) index:0x0

[ 61.286454] flags: 0x1fffff80000000()

[ 61.287817] page dumped because: kasan: bad access detected

[ 61.289904] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090

[ 61.293896] 1ffff1000b660e83 000000008a2fe4e6 ffff88005b3074a0 ffffffffa3049c42

[ 61.296711] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660

[ 61.299551] ffffffffa3049ad0 ffff88005b307480 ffffffffa16ecb83 1ffff1000b660e7c

[ 61.302345] Call Trace:

[ 61.303276] dump_stack (lib/dump_stack.c:53)
[ 61.305261] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.307630] ? __dump_page (mm/debug.c:62)
[ 61.309695] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277)
[ 61.311931] ? unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.314291] __asan_report_load8_noabort (mm/kasan/report.c:319)
[ 61.316748] ? unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.319090] unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.321417] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.323547] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.325990] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.328309] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.330487] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.333007] ? get_from_free_list (lib/idr.c:79)
[ 61.335286] ? ida_get_new_above (lib/idr.c:1002)
[ 61.337542] ? idr_get_empty_slot (lib/idr.c:933)
[ 61.339888] ? split_free_page (mm/page_alloc.c:2901)
[ 61.342067] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.344201] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.346616] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.349125] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.351425] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.353769] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.356028] ? of_fdt_unflatten_tree (drivers/of/fdt.c:513)
[ 61.358290] __unflatten_device_tree (drivers/of/fdt.c:488)
[ 61.360644] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.362879] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.364922] ? initcall_blacklisted (init/main.c:725)
[ 61.367248] ? try_to_run_init_process (init/main.c:708)
[ 61.369596] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.371961] ? kobject_add (lib/kobject.c:396)
[ 61.374017] ? kobject_add_internal (lib/kobject.c:396)
[ 61.376375] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.378729] do_one_initcall (init/main.c:770)
[ 61.380868] ? initcall_blacklisted (init/main.c:759)
[ 61.383256] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.385393] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.387720] ? start_kernel (init/main.c:978)
[ 61.389819] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.392101] kernel_init (init/main.c:936)
[ 61.394078] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.396076] ? rest_init (init/main.c:931)
[ 61.398002] Memory state around the buggy address:

[ 61.399808] ffff88005b307780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 61.402440] ffff88005b307800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 61.405131] >ffff88005b307880: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00

[ 61.407790] ^

[ 61.409262] ffff88005b307900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 61.411905] ffff88005b307980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[ 61.414554] ==================================================================

[ 61.417425] ================================================================================

[ 61.420535] UBSAN: Undefined behaviour in lib/string.c:91:20

[ 61.422646] load of null pointer of type 'const char'

[ 61.424556] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090

[ 61.428570] 1ffff1000b660e80 000000008a2fe4e6 ffff88005b307488 ffffffffa3049c42

[ 61.431389] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660

[ 61.434215] ffffffffa3049ad0 ffff88005b3074b0 ffff88005b307450 ffff88005b307480

[ 61.437020] Call Trace:

[ 61.437943] dump_stack (lib/dump_stack.c:53)
[ 61.439932] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.442294] ubsan_epilogue (lib/ubsan.c:165)
[ 61.444363] __ubsan_handle_type_mismatch (lib/ubsan.c:281 lib/ubsan.c:323)
[ 61.446875] ? kobject_init (lib/kobject.c:326)
[ 61.449009] ? ubsan_epilogue (lib/ubsan.c:320)
[ 61.451095] ? kobject_get_path (lib/kobject.c:326)
[ 61.453341] strcpy (lib/string.c:91)
[ 61.455147] unflatten_dt_nodes (drivers/of/fdt.c:331 drivers/of/fdt.c:417)
[ 61.457381] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.459481] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.461943] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.464233] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.466424] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.468936] ? split_free_page (mm/page_alloc.c:2901)
[ 61.471135] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.473282] ? __might_sleep (kernel/sched/core.c:7512 (discriminator 14))
[ 61.475410] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.477792] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.480269] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.482681] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.486636] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.488969] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.491291] ? kmalloc_order (mm/slab_common.c:1020 (discriminator 4))
[ 61.493378] ? __kmalloc (include/linux/slab.h:403 include/linux/slab.h:410 mm/slub.c:3554)
[ 61.495360] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.497644] __unflatten_device_tree (include/uapi/linux/swab.h:178 include/uapi/linux/byteorder/little_endian.h:81 drivers/of/fdt.c:504)
[ 61.500032] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.502297] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.504309] ? initcall_blacklisted (init/main.c:725)
[ 61.506641] ? try_to_run_init_process (init/main.c:708)
[ 61.509022] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.511404] ? kobject_add (lib/kobject.c:396)
[ 61.513443] ? kobject_add_internal (lib/kobject.c:396)
[ 61.515804] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.518156] do_one_initcall (init/main.c:770)
[ 61.520277] ? initcall_blacklisted (init/main.c:759)
[ 61.522605] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.524736] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.526991] ? start_kernel (init/main.c:978)
[ 61.529067] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.531286] kernel_init (init/main.c:936)
[ 61.533257] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.535246] ? rest_init (init/main.c:931)
[ 61.537187] ================================================================================

[ 61.540419] kasan: CONFIG_KASAN_INLINE enabled

[ 61.542078] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 61.544815] general protection fault: 0000 [#1] PREEMPT SMP KASAN

[ 61.547069] Modules linked in:

[ 61.548271] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090

[ 61.552201] task: ffff88005b2f8000 ti: ffff88005b300000 task.ti: ffff88005b300000

[ 61.554922] RIP: strcpy (lib/string.c:91 (discriminator 1))
[ 61.557733] RSP: 0000:ffff88005b307558 EFLAGS: 00010246

[ 61.559677] RAX: ffff88004f2a00a8 RBX: ffff88004f2a00a8 RCX: dffffc0000000000

[ 61.562283] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88005b2f8b78

[ 61.564912] RBP: ffff88005b307590 R08: 0000000000000000 R09: 0000000000000001

[ 61.567533] R10: dffffc0000000000 R11: 0000000000000007 R12: 0000000000000000

[ 61.570138] R13: ffff88005b2f8000 R14: 0000000000000001 R15: ffff88004f2a00a9

[ 61.572753] FS: 0000000000000000(0000) GS:ffff880063e00000(0000) knlGS:0000000000000000

[ 61.575709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

[ 61.577806] CR2: 00000000ffffffff CR3: 000000002e023000 CR4: 00000000000406b0

[ 61.580458] Stack:

[ 61.581219] dffffc0000000000 ffff88004f2a00a8 ffff88004f2a00a8 1ffff1000b65f008

[ 61.584025] ffff88005b2f8000 dffffc0000000000 ffff88004f2a0000 ffff88005b307b08

[ 61.586790] ffffffffa9ef0cbd ffff88005b307600 1ffff1000b660ecc ffffed000b660f7b

[ 61.589578] Call Trace:

[ 61.590498] unflatten_dt_nodes (drivers/of/fdt.c:331 drivers/of/fdt.c:417)
[ 61.592745] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.594861] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.597306] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.599552] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.601702] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.604162] ? split_free_page (mm/page_alloc.c:2901)
[ 61.606348] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.608473] ? __might_sleep (kernel/sched/core.c:7512 (discriminator 14))
[ 61.610581] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.613009] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.615451] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.617861] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.620164] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.622445] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.624705] ? kmalloc_order (mm/slab_common.c:1020 (discriminator 4))
[ 61.626757] ? __kmalloc (include/linux/slab.h:403 include/linux/slab.h:410 mm/slub.c:3554)
[ 61.628714] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.630953] __unflatten_device_tree (include/uapi/linux/swab.h:178 include/uapi/linux/byteorder/little_endian.h:81 drivers/of/fdt.c:504)
[ 61.633339] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.635630] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.637628] ? initcall_blacklisted (init/main.c:725)
[ 61.639961] ? try_to_run_init_process (init/main.c:708)
[ 61.642306] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.644668] ? kobject_add (lib/kobject.c:396)
[ 61.646708] ? kobject_add_internal (lib/kobject.c:396)
[ 61.649048] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.651375] do_one_initcall (init/main.c:770)
[ 61.653506] ? initcall_blacklisted (init/main.c:759)
[ 61.655861] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.657963] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.660258] ? start_kernel (init/main.c:978)
[ 61.662340] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.664584] kernel_init (init/main.c:936)
[ 61.666529] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.668527] ? rest_init (init/main.c:931)
[ 61.670424] Code: 31 f6 48 c7 c7 60 3b 7e b1 48 89 4d c8 48 89 45 d0 e8 46 bc 0d 00 48 8b 4d c8 48 8b 45 d0 4c 89 e2 4c 89 e6 48 c1 ea 03 83 e6 07 <0f> b6 3c 0a 40 38 f7 7f 1d 40 84 ff 74 18 4c 89 e7 48 89 4d c8

All code
========
0: 31 f6 xor %esi,%esi
2: 48 c7 c7 60 3b 7e b1 mov $0xffffffffb17e3b60,%rdi
9: 48 89 4d c8 mov %rcx,-0x38(%rbp)
d: 48 89 45 d0 mov %rax,-0x30(%rbp)
11: e8 46 bc 0d 00 callq 0xdbc5c
16: 48 8b 4d c8 mov -0x38(%rbp),%rcx
1a: 48 8b 45 d0 mov -0x30(%rbp),%rax
1e: 4c 89 e2 mov %r12,%rdx
21: 4c 89 e6 mov %r12,%rsi
24: 48 c1 ea 03 shr $0x3,%rdx
28: 83 e6 07 and $0x7,%esi
2b:* 0f b6 3c 0a movzbl (%rdx,%rcx,1),%edi <-- trapping instruction
2f: 40 38 f7 cmp %sil,%dil
32: 7f 1d jg 0x51
34: 40 84 ff test %dil,%dil
37: 74 18 je 0x51
39: 4c 89 e7 mov %r12,%rdi
3c: 48 89 4d c8 mov %rcx,-0x38(%rbp)
...

Code starting with the faulting instruction
===========================================
0: 0f b6 3c 0a movzbl (%rdx,%rcx,1),%edi
4: 40 38 f7 cmp %sil,%dil
7: 7f 1d jg 0x26
9: 40 84 ff test %dil,%dil
c: 74 18 je 0x26
e: 4c 89 e7 mov %r12,%rdi
11: 48 89 4d c8 mov %rcx,-0x38(%rbp)
...
[ 61.679043] RIP strcpy (lib/string.c:91 (discriminator 1))
[ 61.680988] RSP <ffff88005b307558>

[ 61.682492] ---[ end trace 9406a61b6302e0e2 ]---

[ 61.684450] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

[ 61.684450]

[ 61.688150] Kernel Offset: 0x20000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

[ 61.692255] Rebooting in 1 seconds..