Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp796517ybg; Mon, 1 Jun 2020 14:55:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxEJObGgotiyWzChDUT8DqdoyTUxkqZMLtIAje2FcN5cbz8Av+e029XbsKSwemP7NgUi/BB X-Received: by 2002:a17:906:5e0a:: with SMTP id n10mr9999322eju.274.1591048507463; Mon, 01 Jun 2020 14:55:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591048507; cv=none; d=google.com; s=arc-20160816; b=FsLxWvmiaUmPKr37uwxJapDY9xh1MUmaXd8V3HXUC3HF9N2Hb2Q3Cru+oXTAXDmZMh K5q0O5GdL8SAxoxQh1Ahj1b+5WY03OwnPP1gWfvTzHAERj2AFiURG+g3Qh7Iu/fPWGW6 K526idqoM6T7l3kvVXKQu73Gofc2ouduMvGofHUZ3+hGFsY3rBqzUNDDz6YApyK1pZV0 jYxDLXI4mmO8IfDtTKtqDC3ngr9OTJw0jd71QBRRTMXUUNyECeXR+HIIIZ7f8XjU7m56 PXJ3Z1zFxu7BgY6Ge1XdCYuFF2seJZbQevjviB3qcFP7sudwCT9yiN6HMLshZNB/jCuo QSBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=onQKbzkilz0X5tVc09T8iL8x6pvNazvbXVadw7hgTwg=; b=yRMcSPuA7oB/mJbB2cz2HEFcpZF85Aii236toDMP8ZNfvoQAQzOjPOZecPniTeTskZ v9diKJjZel3wAZDe/pe/ER8qhW1Va5Mi1rA4xnPqWSOj2PyNa3F+YcYL3Vb/kSvQhMkY jekS0NXNpyCCDzHpKb+G9kWD1EW4WbZqAYMoj0sRTPY9WW1K6qSFfGr7qqjOJ3Yq+qJ0 NttcwA4N/o3Nz8674I1/8tLt0s8o+ajorp+gkNYNa7IJkjMIbPh7rrUe/8S3i1Zu6weT NdxS0A+bCXDCFKzgQTjwm6vxAwZu8weybu9+KiBx4hh59KmRuqltDBT1dtmDJhEsOcXq Imlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=g0ZCrPcw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 17si443230edw.300.2020.06.01.14.54.43; Mon, 01 Jun 2020 14:55:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=g0ZCrPcw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728541AbgFAVwK (ORCPT + 99 others); Mon, 1 Jun 2020 17:52:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45676 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728336AbgFAVwJ (ORCPT ); Mon, 1 Jun 2020 17:52:09 -0400 Received: from mail-pj1-x1041.google.com (mail-pj1-x1041.google.com [IPv6:2607:f8b0:4864:20::1041]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEB9AC061A0E for ; Mon, 1 Jun 2020 14:52:07 -0700 (PDT) Received: by mail-pj1-x1041.google.com with SMTP id h95so429089pje.4 for ; Mon, 01 Jun 2020 14:52:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=onQKbzkilz0X5tVc09T8iL8x6pvNazvbXVadw7hgTwg=; b=g0ZCrPcw+8Y4ceJnJeW4DMbSloHDtOqZhyhQ3PpwR9AqJxOPW9dw6muw4SjgImhrS6 8vSLhQEy8iEccEUxm1vsQAz9hFO3RcSlgfNSKB+O9ZlTYX1yuKZGwCWjYvRKCw2RvBgt t7B2hoBLMWPzqi7cUHbgmn9qtkFflXg4WZbJsd4J6s9HQeiKhEtOLc+JhoLekK/15yxU LHOU7tSnQvcmHifNcOlWT/katcTSXjBJo6bo4n7ez8GE48AZJNDFY4Cj/5ovsa5eg+UK GQbnOATDPqwqu951zF/14BCMDtH0O1XFNRkNAIo2tFGZ2/pIZp7N5Sxwfl0McN//rXmQ caaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=onQKbzkilz0X5tVc09T8iL8x6pvNazvbXVadw7hgTwg=; b=lEMmhGLUCRqTJAAC+eHRox3YKcBxmIoDx8bfdNO3cip1r4S/47nEdnPLKID4lxOc5t GnS2VaMaT1OkThmuSl2jBa+07N6Fh3VSdR8gv/MCvxlokMm3gNju81qnVRofIHcAzR70 B+yFhvUlr3L1T2HqKQvpxQfnHJzI5sH46V2Mt2xDi3e8+LNdArtrEl3waXEGEBidOweJ NvKGBQz/CVBPaukP5/Mm/eA54UzVTMW6KjrP3L/xKc1EZRSndygTxX18Jr3jQsImyf1/ Cy8kuT6xdvJ06pd/kj8kfPUOHN4+BQpwNhcNnAmP6beaHptlRR/XkKWeiDAwS8+K/PPM Nm/Q== X-Gm-Message-State: AOAM533vFYSwgUvqNQgHviONmXd3y6RJlka1VINkLAJ7qOh/Ni/DmEbG HPdCIrJirAUhlDAaChi8vt7n7s2dO65OtTwJ0YRTZQ== X-Received: by 2002:a17:902:724a:: with SMTP id c10mr21740309pll.223.1591048326923; Mon, 01 Jun 2020 14:52:06 -0700 (PDT) MIME-Version: 1.0 References: <20200521100952.GA5360@willie-the-truck> <20200521173738.GA29590@e121166-lin.cambridge.arm.com> <20200526202157.GE2206@willie-the-truck> <20200527134104.GA16115@e121166-lin.cambridge.arm.com> <20200601070459.GB8601@willie-the-truck> In-Reply-To: <20200601070459.GB8601@willie-the-truck> From: Nick Desaulniers Date: Mon, 1 Jun 2020 14:51:55 -0700 Message-ID: Subject: Re: arm64/acpi: NULL dereference reports from UBSAN at boot To: Will Deacon Cc: Lorenzo Pieralisi , guohanjun@huawei.com, "Rafael J. Wysocki" , Linux ARM , LKML , Mark Rutland , Dmitry Vyukov , Alexander Potapenko , Peter Collingbourne , Ard Biesheuvel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 1, 2020 at 12:05 AM Will Deacon wrote: > > On Wed, May 27, 2020 at 02:41:04PM +0100, Lorenzo Pieralisi wrote: > > On Tue, May 26, 2020 at 09:21:57PM +0100, Will Deacon wrote: > > > Hi Lorenzo, Hanjun, [+Nick] > > > > > > On Thu, May 21, 2020 at 06:37:38PM +0100, Lorenzo Pieralisi wrote: > > > > On Thu, May 21, 2020 at 11:09:53AM +0100, Will Deacon wrote: > > > > > Hi folks, > > > > > > > > > > I just tried booting the arm64 for-kernelci branch under QEMU (version > > > > > 4.2.50 (v4.2.0-779-g4354edb6dcc7)) with UBSAN enabled, and I see a > > > > > couple of NULL pointer dereferences reported at boot. I think they're > > > > > both GIC related (log below). I don't see a panic with UBSAN disabled, > > > > > so something's fishy here. > > > > > > > > May I ask you the QEMU command line please - just to make sure I can > > > > replicate it. > > > > > > As it turns out, I'm only able to reproduce this when building with Clang, > > > but I don't know whether that's because GCC is missing something of Clang > > > is signalling a false positive. You also don't need all of those whacky > > > fuzzing options enabled. > > > > > > Anyway, to reproduce: > > > > > > $ git checkout for-next/kernelci > > > $ make ARCH=arm64 CC=clang CROSS_COMPILE=aarch64-linux-gnu- defconfig > > > > > > $ make ARCH=arm64 CC=clang CROSS_COMPILE=aarch64-linux-gnu- Image > > > > > > I throw that at QEMU using: > > > > > > qemu-system-aarch64 -M virt -machine virtualization=true \ > > > -machine virt,gic-version=3 \ > > > -cpu max,sve=off -smp 2 -m 4096 \ > > > -drive if=pflash,format=raw,file=efi.img,readonly \ > > > -drive if=pflash,format=raw,file=varstore.img \ > > > -drive if=virtio,format=raw,file=disk.img \ > > > -device virtio-scsi-pci,id=scsi0 \ > > > -device virtio-rng-pci \ > > > -device virtio-net-pci,netdev=net0 \ > > > -netdev user,id=net0,hostfwd=tcp::8222-:22 \ > > > -nographic \ > > > -kernel ~/work/linux/arch/arm64/boot/Image \ > > > -append "earlycon root=/dev/vda2" > > > > > > I built QEMU a while ago according to: > > > > > > https://mirrors.edge.kernel.org/pub/linux/kernel/people/will/docs/qemu/qemu-arm64-howto.html > > > > > > and its version 4.2.50 (v4.2.0-779-g4354edb6dcc7). > > > > > > My clang is version 11.0.1. > > > > Thanks a lot Will. > > > > I *think* I was right - it is the ACPI_OFFSET() macro: > > > > #define ACPI_OFFSET(d, f) ACPI_PTR_DIFF (&(((d *) 0)->f), (void *) 0) > > > > that triggers the warnings (I suspected it because at least in one of > > the warnings I could not see any dereference of any dynamically > > allocated data). > > Cheers, Lorenzo. > > > Now on what to do with it - thoughts welcome. > > Nick -- any idea what to do about the above? The '#define' pasted by > Lorenzo is causing a couple of spurious UBSAN splats when compiling with > clang 11. If there's undefined behavior from that macro soup, we should be able to reproduce it outside of the kernel and regardless of target architecture, right? The macros aren't too much to throw into a file: ```foo.c #define acpi_uintptr_t void * #define ACPI_CAST_PTR(t, p) ((t *) (acpi_uintptr_t) (p)) typedef unsigned char u8; typedef unsigned long u64; typedef u64 acpi_size; #define ACPI_PTR_DIFF(a, b) ((acpi_size) (ACPI_CAST_PTR (u8, (a)) - ACPI_CAST_PTR (u8, (b)))) #define ACPI_OFFSET(d, f) ACPI_PTR_DIFF (&(((d *) 0)->f), (void *) 0) struct foo { unsigned char bar; int baz; }; int main() { return ACPI_OFFSET(struct foo, baz); } ``` I think looks right. If we run that through -E, and clean that up further, we get: ```bar.c typedef unsigned char u8; typedef unsigned long u64; struct foo { unsigned char bar; int baz; }; int main() { return ((u64) (((u8 *) (void *) ((&(((struct foo *) 0)->baz)))) - ((u8 *) (void *) (((void *) 0))))); } ``` I may be miscounting my parentheses, but how do you take the address of `type`->`member`? What does that even mean? + some more sanitizer folks and Ard for ACPI. anyways, running foo.c through a compiler: $ clang -O2 foo.c -fsanitize=undefined $ ./a.out foo.c:15:12: runtime error: member access within null pointer of type 'struct foo' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior foo.c:15:12 in (msg looks truncated, wtf) Anyways, it looks like the address of member from NULL subexpression looks problematic. I wonder if offsetof can be used here? #define ACPI_OFFSET(d, f) ACPI_PTR_DIFF (offsetof(d, f), (void *) 0) Seems to work in my basic test case. Untested in the kernel. IIUC, ACPI_OFFSET is trying to calculate the difference between the offset of a member of a struct and 0? Isn't that the tautology `x - 0 == x`? -- Thanks, ~Nick Desaulniers