Re: [PATCH v3 22/29] x86/cpu: Use consolidated leaf 0x2 descriptor table
From: Ahmed S. Darwish
Date: Mon Mar 24 2025 - 07:15:37 EST
Hi,
On Mon, 24 Mar 2025, kernel test robot wrote:
>
> [ 5.001760][ T0] BUG: KASAN: stack-out-of-bounds in intel_detect_tlb (arch/x86/kernel/cpu/intel.c:698 arch/x86/kernel/cpu/intel.c:688)
> [ 5.001760][ T0] Read of size 1 at addr ffffffff8a607e80 by task swapper/0/0
> [ 5.001760][ T0]
> [ 5.001760][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.14.0-rc5-00152-ge114ca069e27 #1
> [ 5.001760][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 5.001760][ T0] Call Trace:
> [ 5.001760][ T0] <TASK>
> [ 5.001760][ T0] dump_stack_lvl (lib/dump_stack.c:124)
> [ 5.001760][ T0] print_address_description+0x2c/0x3f0
> [ 5.001760][ T0] ? intel_detect_tlb (arch/x86/kernel/cpu/intel.c:698 arch/x86/kernel/cpu/intel.c:688)
>
I've reproduced the KASAN report and below hunk fixes it:
| --- a/arch/x86/include/asm/cpuid/leaf_0x2_api.h
| +++ b/arch/x86/include/asm/cpuid/leaf_0x2_api.h
| @@ -88,9 +88,9 @@ static inline void cpuid_get_leaf_0x2_regs(union leaf_0x2_regs *regs)
| * }
| * }
| */
| -#define for_each_leaf_0x2_entry(regs, __ptr, entry) \
| - for (__ptr = &(regs).desc[1], entry = &cpuid_0x2_table[*__ptr]; \
| - __ptr < &(regs).desc[16]; \
| - __ptr++, entry = &cpuid_0x2_table[*__ptr])
| +#define for_each_leaf_0x2_entry(regs, __ptr, entry) \
| + for (__ptr = &(regs).desc[1]; \
| + __ptr < &(regs).desc[16] && (entry = &cpuid_0x2_table[*__ptr]); \
| + __ptr++)
I'll include the fix in v4.
(It also makes sense that this was triggered at x86/cpu intel.c and not
x86/cacheinfo, since in cacheinfo.c, CPUID(4) when available is always
preferred to CPUID(2).)
Thanks!
--
Ahmed S. Darwish
Linutronix GmbH