[RFC] memory corruption caused by efi driver?

From: Yisheng Xie
Date: Sat Jun 24 2017 - 05:54:32 EST


hi all,

I met an Oops problem with linux-3.10. The RIP is sysfs_open_file+0x46/0x2b0 (I will and the full
crash log in the end of this mail).

when disassemble sysfs_open_file with crash, check and find it happens when open the file:
/sys/firmware/efi/vars/dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c/raw_var

I had dump the info of kobject and efivar_entry, it seems have been corruption:
crash> struct kobject ffff880464552838
struct kobject {
name = 0x35302d30312d3031 <Address 0x35302d30312d3031 out of bounds>,
entry = {
next = 0x9060d307472632e,
prev = 0x1010df78648862a
},
parent = 0x102820300050b,
kset = 0xf7cecc30ff420835,
ktype = 0x2935586810ad0c76,
sd = 0x4112ef7c27763246,
kref = {
refcount = {
counter = 1243300391
}
},
state_initialized = 0,
state_in_sysfs = 1,
state_add_uevent_sent = 0,
state_remove_uevent_sent = 1,
uevent_suppress = 0
}
crash> p &((struct efivar_entry *)0)->kobj
$1 = (struct kobject *) 0x838
crash> struct efivar_entry -x 0xffff880464552000
struct efivar_entry {
var = {
VariableName = {0x64, 0x62, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0...},
VendorGuid = {
b = "a\337\344\213Ê\322\021\252\r\000\340\230\003+\214"
},
DataSize = 0xc47,
Data = "\241Y\300\245äJ\207\265\253\025\\+\360r@\006\000\000\000\000\000\000$\006\000\000\275\232\372wY\003\062M\275`(\364\347\217xK0\202\006\020\060\202\003\370\240\003\002\001\002\002\na\b\323\304\000\000\000\000\000\004\060\r\006\t*\206H\206\367\r\001\001\v\005\000\060\201\221\061\v0\t\006\003U\004\006\023\002US1\023\060\021\006\003U\004\b\023\nWashington1\020\060\016\006\003U\004\a\023\aRedmond1\036\060\034\006\003U\004\n\023\025Microsoft Corporation1;09\006\003U\004\003\023\062Microsoft Corporation Third Party Marketplace Root0\036\027\r110627212245Z\027\r2606272"...,
Status = 0x7265632f696b702f,
Attributes = 0x4d2f7374
},
list = {
next = 0x4d72615069685472,
prev = 0x30325f6f6f527261
},
kobj = {
name = 0x35302d30312d3031 <Address 0x35302d30312d3031 out of bounds>,
entry = {
next = 0x9060d307472632e,
prev = 0x1010df78648862a
},
parent = 0x102820300050b,
kset = 0xf7cecc30ff420835,
ktype = 0x2935586810ad0c76,
sd = 0x4112ef7c27763246,
kref = {
refcount = {
counter = 0x4a1b4227
}
},
state_initialized = 0x0,
state_in_sysfs = 0x1,
state_add_uevent_sent = 0x0,
state_remove_uevent_sent = 0x1,
uevent_suppress = 0x0
},
scanning = 0x48,
deleting = 0x59
}


Any idea about it?

Any comment is appreciative!

Thanks
Yisheng Xie

detail log:
------
[12476.033560] general protection fault: 0000 [#1] SMP
[12476.039247] kbox catch die event.
[12476.058628] collected_len = 154965, LOG_BUF_LEN_LOCAL = 1048576
[12476.121740] kbox: notify die begin
[12476.125632] kbox: no notify die func register. no need to notify
[12476.132414] do nothing after die!
[12476.136184] Modules linked in: loop binfmt_misc kboxdriver(O) kbox(O) kernel_log_dev(OE) signo_catch(O) bsp_cpld_lpc(OVE) vfat fat intel_powerclamp coretemp intel_rapl crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd sg i2c_i801 pcspkr shpchp i2c_hid video wmi acpi_pad ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic igb crct10dif_pclmul crct10dif_common i2c_algo_bit ahci i2c_core libahci dca crc32c_intel libata ptp pps_core 8250_dw intel_lpss_module mfd_core [last unloaded: gen_timer]
[12476.191525] CPU: 3 PID: 11257 Comm: cat Tainted: G WC OE ----V------- 3.10.0-327.53.58.73.x86_64 #1
[12476.202708] Hardware name: Default string Default string/SKYBAY, BIOS 5.11 05/05/2017
[12476.211528] task: ffff880315ea5080 ti: ffff88045e530000 task.ti: ffff88045e530000
[12476.219965] RIP: 0010:[<ffffffff812601a6>] [<ffffffff812601a6>] sysfs_open_file+0x46/0x2b0
[12476.229452] RSP: 0018:ffff88045e533c78 EFLAGS: 00010202
[12476.235505] RAX: 2935586810ad0c76 RBX: ffff88043e693e00 RCX: ffff88046451b694
[12476.243560] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88046451b690
[12476.251647] RBP: ffff88045e533ca0 R08: 0000000000000000 R09: 0000000000000000
[12476.259700] R10: 0b90000000000000 R11: ffff880466920780 R12: ffff88042c0094d0
[12476.267752] R13: ffff88046451b690 R14: ffff88042c0094d0 R15: ffff880464552838
[12476.275806] FS: 00007f3e56a96740(0000) GS:ffff88047e4c0000(0000) knlGS:0000000000000000
[12476.285001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[12476.291532] CR2: 00007f3e5659aa80 CR3: 000000043e7e8000 CR4: 00000000003407e0
[12476.299621] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[12476.307672] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[12476.315725] Stack:
[12476.318052] ffff88043e693e00 ffff88042c0094d0 ffff880036cff0c0 0000000000000000
[12476.326565] ffff88043e693e10 ffff88045e533ce8 ffffffff811e15c7 ffff88042c0094d0
[12476.335079] ffffffff81260160 ffff88045e533f28 0000000000008000 ffff88045e533df0
[12476.343599] Call Trace:
[12476.346443] [<ffffffff811e15c7>] do_dentry_open+0x1a7/0x2e0
[12476.352887] [<ffffffff81260160>] ? sysfs_schedule_callback+0x1c0/0x1c0
[12476.360429] [<ffffffff811e17f9>] vfs_open+0x39/0x70
[12476.366105] [<ffffffff811f2c3d>] do_last+0x1ed/0x12a0
[12476.373605] [<ffffffff81300422>] ? radix_tree_lookup_slot+0x22/0x50
[12476.380851] [<ffffffff811f3db2>] path_openat+0xc2/0x490
[12476.386906] [<ffffffff811f557b>] do_filp_open+0x4b/0xb0
[12476.393769] [<ffffffff81202177>] ? __alloc_fd+0xa7/0x130
[12476.399913] [<ffffffff811e2cc3>] do_sys_open+0xf3/0x1f0
[12476.405972] [<ffffffff811e2dde>] SyS_open+0x1e/0x20
[12476.411650] [<ffffffff81650a49>] system_call_fastpath+0x16/0x1b
[12476.418472] Code: f3 4c 8b 68 78 49 8b 45 08 4c 89 ef 4c 8b 78 48 e8 20 09 00 00 48 85 c0 0f 84 47 02 00 00 49 8b 47 28 48 85 c0 0f 84 ba 01 00 00 <4c> 8b 60 08 4d 85 e4 0f 84 ad 01 00 00 8b 43 44 a8 02 74 2e 41
[12476.442610] RIP [<ffffffff812601a6>] sysfs_open_file+0x46/0x2b0
[12476.449436] RSP <ffff88045e533c78>
[12476.453750] ---[ end trace 3f2d7ee3bfcdead8 ]---
[12476.453752] Kernel panic - not syncing: Fatal exception