Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp4238370pxb; Tue, 17 Nov 2020 15:27:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJyVoxfTP3xU2phPJqv9EDgUehjBOL74RsWfXcmIRoAnujU0QgbfWmRkZH/nuMdfHXPhVYGJ X-Received: by 2002:a17:906:7a11:: with SMTP id d17mr21068177ejo.153.1605655645002; Tue, 17 Nov 2020 15:27:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605655644; cv=none; d=google.com; s=arc-20160816; b=PSnXxZSHBFmmfLz2OCDzDIkNyoO/oopFJADBbeilpIApZrL0+4FfQyltxBkg8IB8yc UGW8Y6I/6EzuUHEYuXPQjs5Hpb7xfaCNp2/2iIjhMkRgMCXjGQG2czUtXhTH26XU2V4/ dBETu/TG1LK8+A0lb7IY3ADJOKG8KhqgZydjGeqEcLms9cLov2DdsacT/y6i9LW4Ur37 zm9XP8jiOrRiWaRaeM4tutqmniBw7GUBb/+s5wQTqcvGNM7v0s27wx3SqjJ4LAwF74lN +7VlwcKJncRlQeNWJXhxvawdjM6cWhbW7Vlh0wrEUfILEOsZOaDp+pHySzHOk4+knL3l u8RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=BPjxYG10nNEarUm95nLoroA2ShGvg7pn52uDyKMVgAk=; b=JbSrs+lEmAR3kza4tZhJN4dddyRqu6Ev8zYUnpFuolRTzsTAo+5nKyoTO3To/llnwn PV6EplOft8GuRKhZjGy3IceGwZFPWxiTZY/J0ueQRBrBSGaWuVI3gzn3WrQyJT05ng9m J2zT1hOr7gq+5nil58GONaNM6BBJdeHKqiSDwUrc6IOb+wbKGz1eSDZa6t3L0/6HiK57 2iiHSOBU4khjXP5y9a1M47xTTmLBeShOk1inCfBoeRyR8ifTC2tMfBldW//FW7XI48M9 apaWiIOK2qzmGEDd827jLppojn2CgHoLC/8MDi7U8lRwn4N01aZw5N7QYNWunv450bLA IjNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=FSwxrQQQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c20si17969701ejr.515.2020.11.17.15.27.02; Tue, 17 Nov 2020 15:27:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=FSwxrQQQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729913AbgKQXYu (ORCPT + 99 others); Tue, 17 Nov 2020 18:24:50 -0500 Received: from fllv0015.ext.ti.com ([198.47.19.141]:59446 "EHLO fllv0015.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728193AbgKQXYs (ORCPT ); Tue, 17 Nov 2020 18:24:48 -0500 Received: from fllv0035.itg.ti.com ([10.64.41.0]) by fllv0015.ext.ti.com (8.15.2/8.15.2) with ESMTP id 0AHNO712032017; Tue, 17 Nov 2020 17:24:07 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1605655447; bh=BPjxYG10nNEarUm95nLoroA2ShGvg7pn52uDyKMVgAk=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=FSwxrQQQRtLBvw28CJ46qgx188WRV3MOSiS8tPYqf5tP7nzTgVkVVR2J+XabXPsFi UZkGBZR6rnQcrAdtR64jgBMqWm4yccPbSr5txNDhSq2dp1jQ48P/VZe3av13KXWHTV le/fM99rJgr6CGgztSZlgEDHkaq1qra7IYBpRBxI= Received: from DFLE104.ent.ti.com (dfle104.ent.ti.com [10.64.6.25]) by fllv0035.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 0AHNO7hi097004 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 17 Nov 2020 17:24:07 -0600 Received: from DFLE112.ent.ti.com (10.64.6.33) by DFLE104.ent.ti.com (10.64.6.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Tue, 17 Nov 2020 17:24:06 -0600 Received: from fllv0039.itg.ti.com (10.64.41.19) by DFLE112.ent.ti.com (10.64.6.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3 via Frontend Transport; Tue, 17 Nov 2020 17:24:06 -0600 Received: from localhost (ileax41-snat.itg.ti.com [10.172.224.153]) by fllv0039.itg.ti.com (8.15.2/8.15.2) with ESMTP id 0AHNO6Am130347; Tue, 17 Nov 2020 17:24:06 -0600 Date: Tue, 17 Nov 2020 17:24:06 -0600 From: Nishanth Menon To: Arnd Bergmann CC: Naresh Kamboju , Linux ARM , Linux-Next Mailing List , open list , linux-mm , , linux-mmc , Linus Walleij , Arnd Bergmann , Andrew Morton , Steven Rostedt , Ulf Hansson , Linux-OMAP , Liam Girdwood , Mark Brown Subject: Re: [arm] BUG: KASAN: slab-out-of-bounds in memcmp+0x30/0x5c Message-ID: <20201117232343.rg37fkacw43matmh@revered> References: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20171215 X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16:25-20201117, Arnd Bergmann wrote: > On Tue, Nov 17, 2020 at 3:44 PM Naresh Kamboju > wrote: > > > > While booting arm KASAN config enabled kernel on TI x15 device > > Linux version 5.10.0-rc3-next-20201116. > > > > The reported issue is not a regression since we have recently started testing > > arm+kasan builds on LKFT. > > > > The boot was not successful on x15 and qemu_arm for some other reason. > > The kernel config and crash log attached to this email. > > Nice find! > > > [ 13.071906] BUG: KASAN: slab-out-of-bounds in memcmp+0x30/0x5c > > [ 13.077526] Synopsys Designware Multimedia Card Interface Driver > > [ 13.077781] Read of size 1 at addr c5ae1d90 by task kworker/0:0/5 > > [ 13.089918] > > [ 13.091433] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted > > 5.10.0-rc3-next-20201116 #2 > > [ 13.093605] sdhci-pltfm: SDHCI platform and OF driver helper > > [ 13.099135] Hardware name: Generic DRA74X (Flattened Device Tree) > > [ 13.110942] Workqueue: events dbs_work_handler > > [ 13.115442] [] (unwind_backtrace) from [] > > (show_stack+0x10/0x14) > > [ 13.123240] [] (show_stack) from [] > > (dump_stack+0xc8/0xe0) > > [ 13.130518] [] (dump_stack) from [] > > (print_address_description.constprop.0+0x34/0x2dc) > > [ 13.140238] [] (print_address_description.constprop.0) > > from [] (kasan_report+0x1a8/0x1c4) > > [ 13.145871] omap_gpio 4805d000.gpio: Could not set line 27 debounce > > to 200000 microseconds (-22) > > [ 13.150221] [] (kasan_report) from [] (memcmp+0x30/0x5c) > > [ 13.159064] sdhci-omap 4809c000.mmc: Got CD GPIO > > [ 13.166123] [] (memcmp) from [] > > (ti_abb_set_voltage_sel+0x94/0x58c) > > [ 13.166150] [] (ti_abb_set_voltage_sel) from [] > > (_regulator_call_set_voltage_sel+0xd8/0x12c) > > > I see this code in ti_abb_set_voltage_sel(): > > if (sel >= desc->n_voltages) { > dev_err(dev, "%s: sel idx(%d) >= n_voltages(%d)\n", __func__, > sel, desc->n_voltages); > return -EINVAL; > } > > /* If we are in the same index as we were, nothing to do here! */ > if (sel == abb->current_info_idx) { > dev_dbg(dev, "%s: Already at sel=%d\n", __func__, sel); > return ret; > } > > /* If data is exactly the same, then just update index, no change */ > info = &abb->info[sel]; > oinfo = &abb->info[abb->current_info_idx]; > if (!memcmp(info, oinfo, sizeof(*info))) { > > One of the two pointers overflows the abb->info array that is allocated > with length 'desc->n_voltages'. The 'sel' argument is checked against > that limit, so I assume it's abb->current_info_idx, and this is indeed > initialized as > > /* We do not know where the OPP voltage is at the moment */ > abb->current_info_idx = -EINVAL; > > Using the negative '-EINVAL' as an array index would indeed cause > an out-of-bounds access. > > Could you try adding this extra bounds check? > > index 3e60bff76194..c475a9461027 100644 > --- a/drivers/regulator/ti-abb-regulator.c > +++ b/drivers/regulator/ti-abb-regulator.c > @@ -345,7 +345,8 @@ static int ti_abb_set_voltage_sel(struct > regulator_dev *rdev, unsigned sel) > /* If data is exactly the same, then just update index, no change */ > info = &abb->info[sel]; > oinfo = &abb->info[abb->current_info_idx]; > - if (!memcmp(info, oinfo, sizeof(*info))) { > + if (abb->current_info_idx >= 0 && > + !memcmp(info, oinfo, sizeof(*info))) { > dev_dbg(dev, "%s: Same data new idx=%d, old idx=%d\n", __func__, > sel, abb->current_info_idx); > goto out; > > Arnd Yes, this was indeed a bug that has been around for some time now :( I tested with a variant of the above (did'nt like that oinfo was being assigned an invalid address) Boot log: https://pastebin.ubuntu.com/p/nZfz3HF8N6/ (with the same config as in the report): Would you prefer to me to send the following as a formal patch? diff --git a/drivers/regulator/ti-abb-regulator.c b/drivers/regulator/ti-abb-regulator.c index 3e60bff76194..9f0a4d50cead 100644 --- a/drivers/regulator/ti-abb-regulator.c +++ b/drivers/regulator/ti-abb-regulator.c @@ -342,8 +342,17 @@ static int ti_abb_set_voltage_sel(struct regulator_dev *rdev, unsigned sel) return ret; } - /* If data is exactly the same, then just update index, no change */ info = &abb->info[sel]; + /* + * When Linux kernel is starting up, we are'nt sure of the + * Bias configuration that bootloader has configured. + * So, we get to know the actual setting the first time + * we are asked to transition. + */ + if (abb->current_info_idx == -EINVAL) + goto just_set_abb; + + /* If data is exactly the same, then just update index, no change */ oinfo = &abb->info[abb->current_info_idx]; if (!memcmp(info, oinfo, sizeof(*info))) { dev_dbg(dev, "%s: Same data new idx=%d, old idx=%d\n", __func__, @@ -351,6 +360,7 @@ static int ti_abb_set_voltage_sel(struct regulator_dev *rdev, unsigned sel) goto out; } +just_set_abb: ret = ti_abb_set_opp(rdev, abb, info); out: -- Regards, Nishanth Menon Key (0xDDB5849D1736249D) / Fingerprint: F8A2 8693 54EB 8232 17A3 1A34 DDB5 849D 1736 249D