Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1068356pxf; Fri, 12 Mar 2021 00:43:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJyaNUz962oSQ5xQhUsJd2poWSKQcOepvntQtqW2djBRsOqVK8nNk/BhsgOuh+hYdplprmEL X-Received: by 2002:a17:906:7f84:: with SMTP id f4mr7105677ejr.525.1615538634173; Fri, 12 Mar 2021 00:43:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615538634; cv=none; d=google.com; s=arc-20160816; b=B7kMNoV/hlxPtb+YMO/iQ6l6wAaB0DTJxSEPHh71BGgw05i2HuMvFV6Ok9Bx4yf6LR t/co0JpxWCmSRRmZvGeFUxBSkWXZSH8Ao9udR/PsVHxIml3pqiFYJh7HhBOahrNA4iGW hzMyYb3J0JNS37LmMctFCeblzym6rSnqtEPualkK0j4M/goj5csozXyV0auzQAqBzMO8 56C54Ex4QaS/hoSdxqt5xf6f8QLPxCVe5boUmxuXmxAYaSSN2wkqk/KUY7tO+hNo2ZWo BXsNcSswr6lEv86/JgPoMbbAjNoQLTWAPSY5hmuEbsEtvaJZSaMxAMmmwm8MP74sLCYL s0VQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=9Ukmbow+HkN723eJRZvX1IF7v2vav2lhfRD5wpU7iVw=; b=cVIlaEgRS+3VLBfUHS7LsvfZswW70MUnIKBz96Jd6KV5IBbJUbmPX19SCO0KVObGTy hJH8qRSumVgC7AW2nu9knt7RGCQEoEUKioQZIsVPA93C83aE1BI5zOicOyagNVJ1lxXb wzUv0fLhs7IZT78fzSMRuawLZweWy0HJVaQNvJBVex1Ww9L1oNBH8FWSqUPCqk7z5KJ8 20uFtJhjJIa4Gb2Yj3Yi8A/Yf1aDUlEfPusEZ5o7v4rUKTNt9j2Jn9gLpHQK/NKen1Qb 6MyNsXpmoNREfKyYRmvosBIHsXqr1Cip8V/kPVZhUusRiR9CQbuQ6dLrOWOKtCWkE+ZK n3LA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p7si3429690ejf.627.2021.03.12.00.43.31; Fri, 12 Mar 2021 00:43:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232370AbhCLIkn (ORCPT + 99 others); Fri, 12 Mar 2021 03:40:43 -0500 Received: from mout.kundenserver.de ([217.72.192.74]:51739 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232536AbhCLIkM (ORCPT ); Fri, 12 Mar 2021 03:40:12 -0500 Received: from mail-ot1-f44.google.com ([209.85.210.44]) by mrelayeu.kundenserver.de (mreue106 [213.165.67.113]) with ESMTPSA (Nemesis) id 1MwPjf-1ldGgh2rX3-00sOlV for ; Fri, 12 Mar 2021 09:40:10 +0100 Received: by mail-ot1-f44.google.com with SMTP id 75so3173785otn.4 for ; Fri, 12 Mar 2021 00:40:10 -0800 (PST) X-Gm-Message-State: AOAM530E3VB9COxHq/Y7DLHPdH7BABVVabeeJgOZIbotLnuMqsEbspTi vGZIulMLJjpIoLOgCMkwUA/U796wjVGImw7r0o0= X-Received: by 2002:a05:6830:148c:: with SMTP id s12mr2610357otq.251.1615538409449; Fri, 12 Mar 2021 00:40:09 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Arnd Bergmann Date: Fri, 12 Mar 2021 09:39:53 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: arm64 syzbot instances To: Dmitry Vyukov Cc: Mark Rutland , Marc Zyngier , Will Deacon , Ard Biesheuvel , Linux ARM , syzkaller , LKML , John Garry Content-Type: text/plain; charset="UTF-8" X-Provags-ID: V03:K1:Tn11+rvtKFDHYSXiVdqAx653MxaLsl0ytUE+bkf1etAr6LIcl0i RQIotLZ5uPZv5D6kra5YFOdywsExh+/6bip6AGY9VqGtRWuho7oLQPadLjqRUgXTuPPAjCg RmkjdxhrRayJXdBbaKIEahm091RltC9Whw4NiVHZJY3h/SJ24HStUm7AE5MlPYcJxMMWwDE X7YIS8A3t9hSt4WNEgS9A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:Yjduab4BG0c=:ltHuOjfMlPt7Qn7sGWEA7E FwK1WDo23Mkge2LmGSmIvsjXRJdbdp3ZFYZIFavs4R1tHNKjGEpfBZNmm5odwwsXl3rTnnulg BdI7iXjqagGBXMIBfieBR3J8zbzgPLxfBW+e9zesZtPmBrBAXY4uoEwVO3rnmlWSodaU8AqnA awYNSA1BGU8mQeW1+VcwXHxcyXauP6syuNTteGw9inIsdGYiGrg71HJKCMFVGqmyWxGYhpz9C 8vh/0Tf9fSqrQKUzzYugVp2ywUxWKACfkmFtDlDc2RHVobcHOWpxyEeqVtmZs4+GRLo4J5gqU BXfhej4E/TVl9wg7sriiQpio9tD91yO41n3eY/hqxKBFWp0Pp/arVPVAnzjMTIy5YEC18E8cj MWA+y1XcVt15JAm8R/lqNqGvYM/8Jns1F+AWwXAPa5V3+yWc5WG62+2UpkLZR Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 11, 2021 at 6:57 PM Dmitry Vyukov wrote: > On Thu, Mar 11, 2021 at 2:30 PM Arnd Bergmann wrote: > > > > > > The instances found few arm64-specific issues that we have not > > > observed on other instances: > > > > I've had a brief look at these: > > > > > https://syzkaller.appspot.com/bug?id=1d22a2cc3521d5cf6b41bd6b825793c2015f861f > > > > This one doesn't seem arm64 specific at all. While the KASAN report has shown > > up on arm64, the link to > > https://syzkaller.appspot.com/bug?id=aa8808729c0a3540e6a29f0d45394665caf79dca > > seems to be for x86 machines running into the same problem. > > > > Looking deeper into the log, I see that fw_load_sysfs_fallback() finds > > an existing > > list entry on the global "pending_fw_head" list, which seems to have been freed > > earlier (the allocation listed here is not for a firmware load, so presumably it > > was recycled in the meantime). The log shows that this is the second time that > > loading the regulatory database failed in that run, so my guess is that it was > > the first failed load that left the freed firmware private data on the > > list, but I > > don't see how that happened. > > > > > https://syzkaller.appspot.com/bug?id=bb2c16b0e13b4de4bbf22cf6a4b9b16fb0c20eea > > > > This one rings a bell: opening a 8250 uart on a well-known port must fail > > when no I/O ports are registered in the system, or when the PCI I/O ports > > are mapped to an invalid area. > > > > It seems to be attempting a register access at I/O port '1' (virtual > > address 0xfffffbfffe800001 is one byte into the well-known PCI_IOBASE), > > which is an unusual place for a UART, traditional PCs had it at 0x3F8. > > > > This could be either a result of qemu claiming to support a PIO based UART > > at the first available address, or the table of UARTS being uninitialized > > .bss memory. > > > > Definitely an arm64 specific bug. > > I can reproduce this with just: > > #include > #include > #include > #include > #include > > int main(void) > { > int fd = syscall(__NR_openat, 0xffffffffffffff9cul, "/dev/ttyS3", 0ul, 0ul); > char ch = 0; > syscall(__NR_ioctl, fd, 0x5412, &ch); // TIOCSTI > return 0; > } > > > It does not even do any tty setup... does it point to a qemu bug? There are at least two bugs here, but both could be either in the kernel or in qemu: a) accessing a legacy ISA/LPC port should not result in an oops, but should instead return values with all bits set. There could be a ratelimited console warning about broken drivers, but we can't assume that all drivers work correctly, as some ancient PC style drivers still rely on this. John Garry has recently worked on a related bugfix, so maybe either this is the same bug he encountered (and hasn't merged yet), or if his fix got merged there is still a remaining problem. b) It should not be possible to open /dev/ttyS3 if the device is not initialized. What is the output of 'cat /proc/tty/driver/serial' on this machine? Do you see any messages from the serial driver in the boot log? Unfortunately there are so many different ways to probe devices in the 8250 driver that I don't know where this comes from. Your config file has CONFIG_SERIAL_8250_PNP=y CONFIG_SERIAL_8250_NR_UARTS=32 CONFIG_SERIAL_8250_RUNTIME_UARTS=4 CONFIG_SERIAL_8250_EXTENDED=y I guess it's probably the preconfigured uarts that somehow become probed without initialization, but it could also be an explicit device incorrectly described by qemu. Arnd