Re: Fwd: [Bug 214867] New: UBSAN: shift-out-of-bounds in drivers/of/unittest.c:1933:36
From: Frank Rowand
Date: Fri Oct 29 2021 - 20:07:57 EST
On 10/29/21 6:57 PM, Frank Rowand wrote:
>
> Reported in bugzilla, forwarding to the mail lists and maintainers.
>
> -Frank
>
>
> -------- Forwarded Message --------
> Subject: [Bug 214867] New: UBSAN: shift-out-of-bounds in drivers/of/unittest.c:1933:36
> Date: Fri, 29 Oct 2021 13:59:02 +0000
> From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
>
>
> https://bugzilla.kernel.org/show_bug.cgi?id=214867
>
> Bug ID: 214867
> Summary: UBSAN: shift-out-of-bounds in
> drivers/of/unittest.c:1933:36
> Product: Platform Specific/Hardware
> Version: 2.5
> Kernel Version: 5.15-rc7
> Hardware: PPC-64
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: PPC-64
> Assignee: platform_ppc-64@xxxxxxxxxxxxxxxxxxxx
> Reporter: erhard_f@xxxxxxxxxxx
> CC: bugzilla.kernel.org@xxxxxxxxxxx
> Regression: No
>
> Created attachment 299361
> --> https://bugzilla.kernel.org/attachment.cgi?id=299361&action=edit
> kernel dmesg (kernel 5.15-rc7, Talos II)
>
> UBSAN catches this at boot on my Talos II.
>
> [...]
> ### dt-test ### EXPECT / : GPIO line <<int>> (line-C-input) hogged as input
> ================================================================================
> UBSAN: shift-out-of-bounds in drivers/of/unittest.c:1933:36
> shift exponent -1 is negative
> CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc7-TalosII #1
> Call Trace:
> [c000000004163700] [c0000000008ffaa8] .dump_stack_lvl+0xa4/0x100 (unreliable)
> [c000000004163790] [c0000000008fb46c] .ubsan_epilogue+0x10/0x70
> [c000000004163800] [c0000000008fb270]
> .__ubsan_handle_shift_out_of_bounds+0x1f0/0x34c
> [c000000004163910] [c000000000ad94a0] .of_unittest_untrack_overlay+0x6c/0xe0
> [c0000000041639a0] [c000000002098ff8] .of_unittest+0x4c50/0x59f8
> [c000000004163b60] [c000000000011b5c] .do_one_initcall+0x7c/0x4f0
> [c000000004163c50] [c00000000200300c] .kernel_init_freeable+0x704/0x858
> [c000000004163d90] [c000000000012730] .kernel_init+0x20/0x190
> [c000000004163e10] [c00000000000ce78] .ret_from_kernel_thread+0x58/0x60
> ================================================================================
> ### dt-test ### EXPECT \ : OF: overlay: WARNING: memory leak will occur if
> overlay removed, property: /testcase-data-2/substation@100/status
> [...]
>
Further comment in Bugzilla are:
---------- comment 1:
Erhard F. 2021-10-29 14:00:20 UTC
Created attachment 299363 [details]
kernel .config (kernel 5.15-rc7, Talos II)
# lspci
0000:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0000:01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Turks XT [Radeon HD 6670/7670]
0000:01:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Turks HDMI Audio [Radeon HD 6500/6600 / 6700M Series]
0001:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0001:01:00.0 Non-Volatile memory controller: Phison Electronics Corporation Device 5008 (rev 01)
0002:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0003:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0003:01:00.0 USB controller: Texas Instruments TUSB73x0 SuperSpeed USB 3.0 xHCI Host Controller (rev 02)
0004:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0004:01:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme BCM5719 Gigabit Ethernet PCIe (rev 01)
0004:01:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme BCM5719 Gigabit Ethernet PCIe (rev 01)
0005:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0005:01:00.0 PCI bridge: ASPEED Technology, Inc. AST1150 PCI-to-PCI Bridge (rev 04)
0005:02:00.0 VGA compatible controller: ASPEED Technology, Inc. ASPEED Graphics Family (rev 41)
0030:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0031:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0032:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0033:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
---------- comment 2:
[reply] [−] Comment 2 Arnd Bergmann 2021-10-29 14:06:48 UTC
This is the function that triggers it:
static void of_unittest_untrack_overlay(int id)
{
if (overlay_first_id < 0)
return;
id -= overlay_first_id;
if (WARN_ON(id >= MAX_UNITTEST_OVERLAYS))
return;
overlay_id_bits[BIT_WORD(id)] &= ~BIT_MASK(id);
}
My guess is that 'id' is negative here, which means it fails to tigger the
WARN_ON() but ends up still being out of range.
Can you try changing it to 'unsigned int id'?
---------- More info from me, but I did not comment in bugzilla
line 1933 is the final line of of_unittest_untrack_overlay()
(see comment 2 for context):
1933 overlay_id_bits[BIT_WORD(id)] &= ~BIT_MASK(id);