* drivers/of: crash on boot
@ 2016-05-18 15:34 ` Sasha Levin
0 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2016-05-18 15:34 UTC (permalink / raw)
To: rklein; +Cc: robh, LKML, grant.likely, devicetree
Hi Rhyland,
I'm seeing a crash on boot that seems to have been caused by
"drivers/of: Fix depth when unflattening devicetree":
[ 61.145229] ==================================================================
[ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
[ 61.150490] Read of size 4 by task swapper/0/1
[ 61.151892] page:ffffea00016cc1c0 count:0 mapcount:0 mapping: (null) index:0x0
[ 61.154313] flags: 0x1fffff80000000()
[ 61.155460] page dumped because: kasan: bad access detected
[ 61.157174] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090
[ 61.160149] 1ffff1000b660e83 000000008a2fe4e6 ffff88005b3074a0 ffffffffa3049c42
[ 61.162473] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660
[ 61.164827] ffffffffa3049ad0 ffff88005b307480 ffffffffa16ecb83 ffff88003f501ebc
[ 61.167133] Call Trace:
[ 61.167904] dump_stack (lib/dump_stack.c:53)
[ 61.169541] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.171470] ? __dump_page (mm/debug.c:62)
[ 61.173221] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277)
[ 61.175067] ? fdt_next_node (lib/../scripts/dtc/libfdt/fdt.c:163)
[ 61.176905] ? unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.178852] __asan_report_load4_noabort (mm/kasan/report.c:318)
[ 61.180850] ? unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.182766] unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.184697] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.186439] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.188473] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.190344] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.192168] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.194178] ? get_from_free_list (lib/idr.c:79)
[ 61.196069] ? ida_get_new_above (lib/idr.c:1002)
[ 61.197884] ? idr_get_empty_slot (lib/idr.c:933)
[ 61.199802] ? split_free_page (mm/page_alloc.c:2901)
[ 61.201598] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.203346] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.205328] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.207386] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.209281] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.211155] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.213015] ? of_fdt_unflatten_tree (drivers/of/fdt.c:513)
[ 61.214929] __unflatten_device_tree (drivers/of/fdt.c:488)
[ 61.216901] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.218841] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.220556] ? initcall_blacklisted (init/main.c:725)
[ 61.222494] ? try_to_run_init_process (init/main.c:708)
[ 61.224682] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.227059] ? kobject_add (lib/kobject.c:396)
[ 61.229113] ? kobject_add_internal (lib/kobject.c:396)
[ 61.231455] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.233865] do_one_initcall (init/main.c:770)
[ 61.236005] ? initcall_blacklisted (init/main.c:759)
[ 61.238354] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.240504] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.242798] ? start_kernel (init/main.c:978)
[ 61.244919] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.247174] kernel_init (init/main.c:936)
[ 61.249162] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.251170] ? rest_init (init/main.c:931)
[ 61.253104] Memory state around the buggy address:
[ 61.254888] ffff88005b307600: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[ 61.257551] ffff88005b307680: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
[ 61.260255] >ffff88005b307700: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
[ 61.262911] ^
[ 61.265529] ffff88005b307780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.268218] ffff88005b307800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.270874] ==================================================================
[ 61.273558] Disabling lock debugging due to kernel taint
[ 61.275648] ==================================================================
[ 61.278303] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x1236/0x1290 at addr ffff88005b307898
[ 61.281794] Read of size 8 by task swapper/0/1
[ 61.283483] page:ffffea00016cc1c0 count:0 mapcount:0 mapping: (null) index:0x0
[ 61.286454] flags: 0x1fffff80000000()
[ 61.287817] page dumped because: kasan: bad access detected
[ 61.289904] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090
[ 61.293896] 1ffff1000b660e83 000000008a2fe4e6 ffff88005b3074a0 ffffffffa3049c42
[ 61.296711] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660
[ 61.299551] ffffffffa3049ad0 ffff88005b307480 ffffffffa16ecb83 1ffff1000b660e7c
[ 61.302345] Call Trace:
[ 61.303276] dump_stack (lib/dump_stack.c:53)
[ 61.305261] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.307630] ? __dump_page (mm/debug.c:62)
[ 61.309695] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277)
[ 61.311931] ? unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.314291] __asan_report_load8_noabort (mm/kasan/report.c:319)
[ 61.316748] ? unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.319090] unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.321417] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.323547] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.325990] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.328309] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.330487] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.333007] ? get_from_free_list (lib/idr.c:79)
[ 61.335286] ? ida_get_new_above (lib/idr.c:1002)
[ 61.337542] ? idr_get_empty_slot (lib/idr.c:933)
[ 61.339888] ? split_free_page (mm/page_alloc.c:2901)
[ 61.342067] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.344201] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.346616] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.349125] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.351425] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.353769] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.356028] ? of_fdt_unflatten_tree (drivers/of/fdt.c:513)
[ 61.358290] __unflatten_device_tree (drivers/of/fdt.c:488)
[ 61.360644] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.362879] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.364922] ? initcall_blacklisted (init/main.c:725)
[ 61.367248] ? try_to_run_init_process (init/main.c:708)
[ 61.369596] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.371961] ? kobject_add (lib/kobject.c:396)
[ 61.374017] ? kobject_add_internal (lib/kobject.c:396)
[ 61.376375] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.378729] do_one_initcall (init/main.c:770)
[ 61.380868] ? initcall_blacklisted (init/main.c:759)
[ 61.383256] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.385393] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.387720] ? start_kernel (init/main.c:978)
[ 61.389819] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.392101] kernel_init (init/main.c:936)
[ 61.394078] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.396076] ? rest_init (init/main.c:931)
[ 61.398002] Memory state around the buggy address:
[ 61.399808] ffff88005b307780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.402440] ffff88005b307800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.405131] >ffff88005b307880: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.407790] ^
[ 61.409262] ffff88005b307900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.411905] ffff88005b307980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.414554] ==================================================================
[ 61.417425] ================================================================================
[ 61.420535] UBSAN: Undefined behaviour in lib/string.c:91:20
[ 61.422646] load of null pointer of type 'const char'
[ 61.424556] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090
[ 61.428570] 1ffff1000b660e80 000000008a2fe4e6 ffff88005b307488 ffffffffa3049c42
[ 61.431389] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660
[ 61.434215] ffffffffa3049ad0 ffff88005b3074b0 ffff88005b307450 ffff88005b307480
[ 61.437020] Call Trace:
[ 61.437943] dump_stack (lib/dump_stack.c:53)
[ 61.439932] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.442294] ubsan_epilogue (lib/ubsan.c:165)
[ 61.444363] __ubsan_handle_type_mismatch (lib/ubsan.c:281 lib/ubsan.c:323)
[ 61.446875] ? kobject_init (lib/kobject.c:326)
[ 61.449009] ? ubsan_epilogue (lib/ubsan.c:320)
[ 61.451095] ? kobject_get_path (lib/kobject.c:326)
[ 61.453341] strcpy (lib/string.c:91)
[ 61.455147] unflatten_dt_nodes (drivers/of/fdt.c:331 drivers/of/fdt.c:417)
[ 61.457381] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.459481] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.461943] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.464233] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.466424] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.468936] ? split_free_page (mm/page_alloc.c:2901)
[ 61.471135] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.473282] ? __might_sleep (kernel/sched/core.c:7512 (discriminator 14))
[ 61.475410] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.477792] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.480269] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.482681] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.486636] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.488969] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.491291] ? kmalloc_order (mm/slab_common.c:1020 (discriminator 4))
[ 61.493378] ? __kmalloc (include/linux/slab.h:403 include/linux/slab.h:410 mm/slub.c:3554)
[ 61.495360] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.497644] __unflatten_device_tree (include/uapi/linux/swab.h:178 include/uapi/linux/byteorder/little_endian.h:81 drivers/of/fdt.c:504)
[ 61.500032] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.502297] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.504309] ? initcall_blacklisted (init/main.c:725)
[ 61.506641] ? try_to_run_init_process (init/main.c:708)
[ 61.509022] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.511404] ? kobject_add (lib/kobject.c:396)
[ 61.513443] ? kobject_add_internal (lib/kobject.c:396)
[ 61.515804] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.518156] do_one_initcall (init/main.c:770)
[ 61.520277] ? initcall_blacklisted (init/main.c:759)
[ 61.522605] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.524736] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.526991] ? start_kernel (init/main.c:978)
[ 61.529067] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.531286] kernel_init (init/main.c:936)
[ 61.533257] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.535246] ? rest_init (init/main.c:931)
[ 61.537187] ================================================================================
[ 61.540419] kasan: CONFIG_KASAN_INLINE enabled
[ 61.542078] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 61.544815] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[ 61.547069] Modules linked in:
[ 61.548271] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090
[ 61.552201] task: ffff88005b2f8000 ti: ffff88005b300000 task.ti: ffff88005b300000
[ 61.554922] RIP: strcpy (lib/string.c:91 (discriminator 1))
[ 61.557733] RSP: 0000:ffff88005b307558 EFLAGS: 00010246
[ 61.559677] RAX: ffff88004f2a00a8 RBX: ffff88004f2a00a8 RCX: dffffc0000000000
[ 61.562283] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88005b2f8b78
[ 61.564912] RBP: ffff88005b307590 R08: 0000000000000000 R09: 0000000000000001
[ 61.567533] R10: dffffc0000000000 R11: 0000000000000007 R12: 0000000000000000
[ 61.570138] R13: ffff88005b2f8000 R14: 0000000000000001 R15: ffff88004f2a00a9
[ 61.572753] FS: 0000000000000000(0000) GS:ffff880063e00000(0000) knlGS:0000000000000000
[ 61.575709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 61.577806] CR2: 00000000ffffffff CR3: 000000002e023000 CR4: 00000000000406b0
[ 61.580458] Stack:
[ 61.581219] dffffc0000000000 ffff88004f2a00a8 ffff88004f2a00a8 1ffff1000b65f008
[ 61.584025] ffff88005b2f8000 dffffc0000000000 ffff88004f2a0000 ffff88005b307b08
[ 61.586790] ffffffffa9ef0cbd ffff88005b307600 1ffff1000b660ecc ffffed000b660f7b
[ 61.589578] Call Trace:
[ 61.590498] unflatten_dt_nodes (drivers/of/fdt.c:331 drivers/of/fdt.c:417)
[ 61.592745] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.594861] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.597306] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.599552] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.601702] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.604162] ? split_free_page (mm/page_alloc.c:2901)
[ 61.606348] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.608473] ? __might_sleep (kernel/sched/core.c:7512 (discriminator 14))
[ 61.610581] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.613009] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.615451] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.617861] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.620164] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.622445] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.624705] ? kmalloc_order (mm/slab_common.c:1020 (discriminator 4))
[ 61.626757] ? __kmalloc (include/linux/slab.h:403 include/linux/slab.h:410 mm/slub.c:3554)
[ 61.628714] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.630953] __unflatten_device_tree (include/uapi/linux/swab.h:178 include/uapi/linux/byteorder/little_endian.h:81 drivers/of/fdt.c:504)
[ 61.633339] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.635630] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.637628] ? initcall_blacklisted (init/main.c:725)
[ 61.639961] ? try_to_run_init_process (init/main.c:708)
[ 61.642306] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.644668] ? kobject_add (lib/kobject.c:396)
[ 61.646708] ? kobject_add_internal (lib/kobject.c:396)
[ 61.649048] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.651375] do_one_initcall (init/main.c:770)
[ 61.653506] ? initcall_blacklisted (init/main.c:759)
[ 61.655861] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.657963] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.660258] ? start_kernel (init/main.c:978)
[ 61.662340] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.664584] kernel_init (init/main.c:936)
[ 61.666529] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.668527] ? rest_init (init/main.c:931)
[ 61.670424] Code: 31 f6 48 c7 c7 60 3b 7e b1 48 89 4d c8 48 89 45 d0 e8 46 bc 0d 00 48 8b 4d c8 48 8b 45 d0 4c 89 e2 4c 89 e6 48 c1 ea 03 83 e6 07 <0f> b6 3c 0a 40 38 f7 7f 1d 40 84 ff 74 18 4c 89 e7 48 89 4d c8
All code
========
0: 31 f6 xor %esi,%esi
2: 48 c7 c7 60 3b 7e b1 mov $0xffffffffb17e3b60,%rdi
9: 48 89 4d c8 mov %rcx,-0x38(%rbp)
d: 48 89 45 d0 mov %rax,-0x30(%rbp)
11: e8 46 bc 0d 00 callq 0xdbc5c
16: 48 8b 4d c8 mov -0x38(%rbp),%rcx
1a: 48 8b 45 d0 mov -0x30(%rbp),%rax
1e: 4c 89 e2 mov %r12,%rdx
21: 4c 89 e6 mov %r12,%rsi
24: 48 c1 ea 03 shr $0x3,%rdx
28: 83 e6 07 and $0x7,%esi
2b:* 0f b6 3c 0a movzbl (%rdx,%rcx,1),%edi <-- trapping instruction
2f: 40 38 f7 cmp %sil,%dil
32: 7f 1d jg 0x51
34: 40 84 ff test %dil,%dil
37: 74 18 je 0x51
39: 4c 89 e7 mov %r12,%rdi
3c: 48 89 4d c8 mov %rcx,-0x38(%rbp)
...
Code starting with the faulting instruction
===========================================
0: 0f b6 3c 0a movzbl (%rdx,%rcx,1),%edi
4: 40 38 f7 cmp %sil,%dil
7: 7f 1d jg 0x26
9: 40 84 ff test %dil,%dil
c: 74 18 je 0x26
e: 4c 89 e7 mov %r12,%rdi
11: 48 89 4d c8 mov %rcx,-0x38(%rbp)
...
[ 61.679043] RIP strcpy (lib/string.c:91 (discriminator 1))
[ 61.680988] RSP <ffff88005b307558>
[ 61.682492] ---[ end trace 9406a61b6302e0e2 ]---
[ 61.684450] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 61.684450]
[ 61.688150] Kernel Offset: 0x20000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 61.692255] Rebooting in 1 seconds..
^ permalink raw reply [flat|nested] 19+ messages in thread
* drivers/of: crash on boot
@ 2016-05-18 15:34 ` Sasha Levin
0 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2016-05-18 15:34 UTC (permalink / raw)
To: rklein-DDmLM1+adcrQT0dZR+AlfA
Cc: robh-DgEjT+Ai2ygdnm+yROfE0A, LKML,
grant.likely-QSEj5FYQhm4dnm+yROfE0A,
devicetree-u79uwXL29TY76Z2rM5mHXA
Hi Rhyland,
I'm seeing a crash on boot that seems to have been caused by
"drivers/of: Fix depth when unflattening devicetree":
[ 61.145229] ==================================================================
[ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
[ 61.150490] Read of size 4 by task swapper/0/1
[ 61.151892] page:ffffea00016cc1c0 count:0 mapcount:0 mapping: (null) index:0x0
[ 61.154313] flags: 0x1fffff80000000()
[ 61.155460] page dumped because: kasan: bad access detected
[ 61.157174] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090
[ 61.160149] 1ffff1000b660e83 000000008a2fe4e6 ffff88005b3074a0 ffffffffa3049c42
[ 61.162473] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660
[ 61.164827] ffffffffa3049ad0 ffff88005b307480 ffffffffa16ecb83 ffff88003f501ebc
[ 61.167133] Call Trace:
[ 61.167904] dump_stack (lib/dump_stack.c:53)
[ 61.169541] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.171470] ? __dump_page (mm/debug.c:62)
[ 61.173221] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277)
[ 61.175067] ? fdt_next_node (lib/../scripts/dtc/libfdt/fdt.c:163)
[ 61.176905] ? unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.178852] __asan_report_load4_noabort (mm/kasan/report.c:318)
[ 61.180850] ? unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.182766] unflatten_dt_nodes (drivers/of/fdt.c:417)
[ 61.184697] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.186439] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.188473] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.190344] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.192168] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.194178] ? get_from_free_list (lib/idr.c:79)
[ 61.196069] ? ida_get_new_above (lib/idr.c:1002)
[ 61.197884] ? idr_get_empty_slot (lib/idr.c:933)
[ 61.199802] ? split_free_page (mm/page_alloc.c:2901)
[ 61.201598] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.203346] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.205328] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.207386] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.209281] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.211155] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.213015] ? of_fdt_unflatten_tree (drivers/of/fdt.c:513)
[ 61.214929] __unflatten_device_tree (drivers/of/fdt.c:488)
[ 61.216901] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.218841] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.220556] ? initcall_blacklisted (init/main.c:725)
[ 61.222494] ? try_to_run_init_process (init/main.c:708)
[ 61.224682] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.227059] ? kobject_add (lib/kobject.c:396)
[ 61.229113] ? kobject_add_internal (lib/kobject.c:396)
[ 61.231455] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.233865] do_one_initcall (init/main.c:770)
[ 61.236005] ? initcall_blacklisted (init/main.c:759)
[ 61.238354] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.240504] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.242798] ? start_kernel (init/main.c:978)
[ 61.244919] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.247174] kernel_init (init/main.c:936)
[ 61.249162] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.251170] ? rest_init (init/main.c:931)
[ 61.253104] Memory state around the buggy address:
[ 61.254888] ffff88005b307600: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[ 61.257551] ffff88005b307680: 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
[ 61.260255] >ffff88005b307700: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
[ 61.262911] ^
[ 61.265529] ffff88005b307780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.268218] ffff88005b307800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.270874] ==================================================================
[ 61.273558] Disabling lock debugging due to kernel taint
[ 61.275648] ==================================================================
[ 61.278303] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x1236/0x1290 at addr ffff88005b307898
[ 61.281794] Read of size 8 by task swapper/0/1
[ 61.283483] page:ffffea00016cc1c0 count:0 mapcount:0 mapping: (null) index:0x0
[ 61.286454] flags: 0x1fffff80000000()
[ 61.287817] page dumped because: kasan: bad access detected
[ 61.289904] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090
[ 61.293896] 1ffff1000b660e83 000000008a2fe4e6 ffff88005b3074a0 ffffffffa3049c42
[ 61.296711] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660
[ 61.299551] ffffffffa3049ad0 ffff88005b307480 ffffffffa16ecb83 1ffff1000b660e7c
[ 61.302345] Call Trace:
[ 61.303276] dump_stack (lib/dump_stack.c:53)
[ 61.305261] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.307630] ? __dump_page (mm/debug.c:62)
[ 61.309695] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277)
[ 61.311931] ? unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.314291] __asan_report_load8_noabort (mm/kasan/report.c:319)
[ 61.316748] ? unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.319090] unflatten_dt_nodes (drivers/of/fdt.c:280 drivers/of/fdt.c:417)
[ 61.321417] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.323547] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.325990] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.328309] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.330487] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.333007] ? get_from_free_list (lib/idr.c:79)
[ 61.335286] ? ida_get_new_above (lib/idr.c:1002)
[ 61.337542] ? idr_get_empty_slot (lib/idr.c:933)
[ 61.339888] ? split_free_page (mm/page_alloc.c:2901)
[ 61.342067] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.344201] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.346616] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.349125] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.351425] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.353769] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.356028] ? of_fdt_unflatten_tree (drivers/of/fdt.c:513)
[ 61.358290] __unflatten_device_tree (drivers/of/fdt.c:488)
[ 61.360644] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.362879] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.364922] ? initcall_blacklisted (init/main.c:725)
[ 61.367248] ? try_to_run_init_process (init/main.c:708)
[ 61.369596] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.371961] ? kobject_add (lib/kobject.c:396)
[ 61.374017] ? kobject_add_internal (lib/kobject.c:396)
[ 61.376375] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.378729] do_one_initcall (init/main.c:770)
[ 61.380868] ? initcall_blacklisted (init/main.c:759)
[ 61.383256] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.385393] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.387720] ? start_kernel (init/main.c:978)
[ 61.389819] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.392101] kernel_init (init/main.c:936)
[ 61.394078] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.396076] ? rest_init (init/main.c:931)
[ 61.398002] Memory state around the buggy address:
[ 61.399808] ffff88005b307780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.402440] ffff88005b307800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.405131] >ffff88005b307880: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.407790] ^
[ 61.409262] ffff88005b307900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.411905] ffff88005b307980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 61.414554] ==================================================================
[ 61.417425] ================================================================================
[ 61.420535] UBSAN: Undefined behaviour in lib/string.c:91:20
[ 61.422646] load of null pointer of type 'const char'
[ 61.424556] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090
[ 61.428570] 1ffff1000b660e80 000000008a2fe4e6 ffff88005b307488 ffffffffa3049c42
[ 61.431389] ffffffff00000000 fffffbfff5c6e404 0000000041b58ab3 ffffffffadceb660
[ 61.434215] ffffffffa3049ad0 ffff88005b3074b0 ffff88005b307450 ffff88005b307480
[ 61.437020] Call Trace:
[ 61.437943] dump_stack (lib/dump_stack.c:53)
[ 61.439932] ? arch_local_irq_restore (./arch/x86/include/asm/paravirt.h:134)
[ 61.442294] ubsan_epilogue (lib/ubsan.c:165)
[ 61.444363] __ubsan_handle_type_mismatch (lib/ubsan.c:281 lib/ubsan.c:323)
[ 61.446875] ? kobject_init (lib/kobject.c:326)
[ 61.449009] ? ubsan_epilogue (lib/ubsan.c:320)
[ 61.451095] ? kobject_get_path (lib/kobject.c:326)
[ 61.453341] strcpy (lib/string.c:91)
[ 61.455147] unflatten_dt_nodes (drivers/of/fdt.c:331 drivers/of/fdt.c:417)
[ 61.457381] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.459481] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.461943] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.464233] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.466424] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.468936] ? split_free_page (mm/page_alloc.c:2901)
[ 61.471135] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.473282] ? __might_sleep (kernel/sched/core.c:7512 (discriminator 14))
[ 61.475410] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.477792] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.480269] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.482681] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.486636] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.488969] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.491291] ? kmalloc_order (mm/slab_common.c:1020 (discriminator 4))
[ 61.493378] ? __kmalloc (include/linux/slab.h:403 include/linux/slab.h:410 mm/slub.c:3554)
[ 61.495360] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.497644] __unflatten_device_tree (include/uapi/linux/swab.h:178 include/uapi/linux/byteorder/little_endian.h:81 drivers/of/fdt.c:504)
[ 61.500032] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.502297] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.504309] ? initcall_blacklisted (init/main.c:725)
[ 61.506641] ? try_to_run_init_process (init/main.c:708)
[ 61.509022] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.511404] ? kobject_add (lib/kobject.c:396)
[ 61.513443] ? kobject_add_internal (lib/kobject.c:396)
[ 61.515804] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.518156] do_one_initcall (init/main.c:770)
[ 61.520277] ? initcall_blacklisted (init/main.c:759)
[ 61.522605] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.524736] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.526991] ? start_kernel (init/main.c:978)
[ 61.529067] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.531286] kernel_init (init/main.c:936)
[ 61.533257] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.535246] ? rest_init (init/main.c:931)
[ 61.537187] ================================================================================
[ 61.540419] kasan: CONFIG_KASAN_INLINE enabled
[ 61.542078] kasan: GPF could be caused by NULL-ptr deref or user memory access[ 61.544815] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[ 61.547069] Modules linked in:
[ 61.548271] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 4.6.0-next-20160518-sasha-00032-gab479e0-dirty #3090
[ 61.552201] task: ffff88005b2f8000 ti: ffff88005b300000 task.ti: ffff88005b300000
[ 61.554922] RIP: strcpy (lib/string.c:91 (discriminator 1))
[ 61.557733] RSP: 0000:ffff88005b307558 EFLAGS: 00010246
[ 61.559677] RAX: ffff88004f2a00a8 RBX: ffff88004f2a00a8 RCX: dffffc0000000000
[ 61.562283] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88005b2f8b78
[ 61.564912] RBP: ffff88005b307590 R08: 0000000000000000 R09: 0000000000000001
[ 61.567533] R10: dffffc0000000000 R11: 0000000000000007 R12: 0000000000000000
[ 61.570138] R13: ffff88005b2f8000 R14: 0000000000000001 R15: ffff88004f2a00a9
[ 61.572753] FS: 0000000000000000(0000) GS:ffff880063e00000(0000) knlGS:0000000000000000
[ 61.575709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 61.577806] CR2: 00000000ffffffff CR3: 000000002e023000 CR4: 00000000000406b0
[ 61.580458] Stack:
[ 61.581219] dffffc0000000000 ffff88004f2a00a8 ffff88004f2a00a8 1ffff1000b65f008
[ 61.584025] ffff88005b2f8000 dffffc0000000000 ffff88004f2a0000 ffff88005b307b08
[ 61.586790] ffffffffa9ef0cbd ffff88005b307600 1ffff1000b660ecc ffffed000b660f7b
[ 61.589578] Call Trace:
[ 61.590498] unflatten_dt_nodes (drivers/of/fdt.c:331 drivers/of/fdt.c:417)
[ 61.592745] ? reverse_nodes (drivers/of/fdt.c:396)
[ 61.594861] ? set_pageblock_migratetype (mm/page_alloc.c:589)
[ 61.597306] ? kernel_poison_pages (mm/page_poison.c:163)
[ 61.599552] ? lookup_page_ext (mm/page_ext.c:200)
[ 61.601702] ? get_page_from_freelist (mm/page_alloc.c:1747 mm/page_alloc.c:3003)
[ 61.604162] ? split_free_page (mm/page_alloc.c:2901)
[ 61.606348] ? ___might_sleep (kernel/sched/core.c:7520 (discriminator 1))
[ 61.608473] ? __might_sleep (kernel/sched/core.c:7512 (discriminator 14))
[ 61.610581] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.613009] ? __alloc_pages_slowpath (mm/page_alloc.c:3749)
[ 61.615451] ? __alloc_pages_nodemask (mm/page_alloc.c:3804)
[ 61.617861] ? alloc_pages_current (mm/mempolicy.c:2078)
[ 61.620164] ? kasan_unpoison_shadow (mm/kasan/kasan.c:59)
[ 61.622445] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.624705] ? kmalloc_order (mm/slab_common.c:1020 (discriminator 4))
[ 61.626757] ? __kmalloc (include/linux/slab.h:403 include/linux/slab.h:410 mm/slub.c:3554)
[ 61.628714] ? kasan_kmalloc_large (mm/kasan/kasan.c:612)
[ 61.630953] __unflatten_device_tree (include/uapi/linux/swab.h:178 include/uapi/linux/byteorder/little_endian.h:81 drivers/of/fdt.c:504)
[ 61.633339] of_fdt_unflatten_tree (drivers/of/fdt.c:541)
[ 61.635630] of_unittest (drivers/of/unittest.c:924 drivers/of/unittest.c:1936)
[ 61.637628] ? initcall_blacklisted (init/main.c:725)
[ 61.639961] ? try_to_run_init_process (init/main.c:708)
[ 61.642306] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.644668] ? kobject_add (lib/kobject.c:396)
[ 61.646708] ? kobject_add_internal (lib/kobject.c:396)
[ 61.649048] ? of_unittest_overlay (drivers/of/unittest.c:1931)
[ 61.651375] do_one_initcall (init/main.c:770)
[ 61.653506] ? initcall_blacklisted (init/main.c:759)
[ 61.655861] ? ___might_sleep (kernel/sched/core.c:7522)
[ 61.657963] kernel_init_freeable (init/main.c:834 init/main.c:843 init/main.c:861 init/main.c:1008)
[ 61.660258] ? start_kernel (init/main.c:978)
[ 61.662340] ? compat_start_thread (arch/x86/kernel/process_64.c:259)
[ 61.664584] kernel_init (init/main.c:936)
[ 61.666529] ret_from_fork (arch/x86/entry/entry_64.S:390)
[ 61.668527] ? rest_init (init/main.c:931)
[ 61.670424] Code: 31 f6 48 c7 c7 60 3b 7e b1 48 89 4d c8 48 89 45 d0 e8 46 bc 0d 00 48 8b 4d c8 48 8b 45 d0 4c 89 e2 4c 89 e6 48 c1 ea 03 83 e6 07 <0f> b6 3c 0a 40 38 f7 7f 1d 40 84 ff 74 18 4c 89 e7 48 89 4d c8
All code
========
0: 31 f6 xor %esi,%esi
2: 48 c7 c7 60 3b 7e b1 mov $0xffffffffb17e3b60,%rdi
9: 48 89 4d c8 mov %rcx,-0x38(%rbp)
d: 48 89 45 d0 mov %rax,-0x30(%rbp)
11: e8 46 bc 0d 00 callq 0xdbc5c
16: 48 8b 4d c8 mov -0x38(%rbp),%rcx
1a: 48 8b 45 d0 mov -0x30(%rbp),%rax
1e: 4c 89 e2 mov %r12,%rdx
21: 4c 89 e6 mov %r12,%rsi
24: 48 c1 ea 03 shr $0x3,%rdx
28: 83 e6 07 and $0x7,%esi
2b:* 0f b6 3c 0a movzbl (%rdx,%rcx,1),%edi <-- trapping instruction
2f: 40 38 f7 cmp %sil,%dil
32: 7f 1d jg 0x51
34: 40 84 ff test %dil,%dil
37: 74 18 je 0x51
39: 4c 89 e7 mov %r12,%rdi
3c: 48 89 4d c8 mov %rcx,-0x38(%rbp)
...
Code starting with the faulting instruction
===========================================
0: 0f b6 3c 0a movzbl (%rdx,%rcx,1),%edi
4: 40 38 f7 cmp %sil,%dil
7: 7f 1d jg 0x26
9: 40 84 ff test %dil,%dil
c: 74 18 je 0x26
e: 4c 89 e7 mov %r12,%rdi
11: 48 89 4d c8 mov %rcx,-0x38(%rbp)
...
[ 61.679043] RIP strcpy (lib/string.c:91 (discriminator 1))
[ 61.680988] RSP <ffff88005b307558>
[ 61.682492] ---[ end trace 9406a61b6302e0e2 ]---
[ 61.684450] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 61.684450]
[ 61.688150] Kernel Offset: 0x20000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 61.692255] Rebooting in 1 seconds..
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-18 19:36 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-18 19:36 UTC (permalink / raw)
To: Sasha Levin, Rhyland Klein, Gavin Shan; +Cc: LKML, Grant Likely, devicetree
On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
> Hi Rhyland,
>
> I'm seeing a crash on boot that seems to have been caused by
> "drivers/of: Fix depth when unflattening devicetree":
>
> [ 61.145229] ==================================================================
>
> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
The following appears to fix it for me. Rhyland, please confirm.
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 7f38241..888ec2a 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -409,7 +409,7 @@ static int unflatten_dt_nodes(const void *blob,
fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
nps[depth+1] = dad;
for (offset = 0;
- offset >= 0;
+ offset >= 0, depth >= 0;
offset = fdt_next_node(blob, offset, &depth)) {
if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
continue;
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-18 19:36 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-18 19:36 UTC (permalink / raw)
To: Sasha Levin, Rhyland Klein, Gavin Shan
Cc: LKML, Grant Likely, devicetree-u79uwXL29TY76Z2rM5mHXA
On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
> Hi Rhyland,
>
> I'm seeing a crash on boot that seems to have been caused by
> "drivers/of: Fix depth when unflattening devicetree":
>
> [ 61.145229] ==================================================================
>
> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
The following appears to fix it for me. Rhyland, please confirm.
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 7f38241..888ec2a 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -409,7 +409,7 @@ static int unflatten_dt_nodes(const void *blob,
fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
nps[depth+1] = dad;
for (offset = 0;
- offset >= 0;
+ offset >= 0, depth >= 0;
offset = fdt_next_node(blob, offset, &depth)) {
if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
continue;
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-18 19:58 ` Rhyland Klein
0 siblings, 0 replies; 19+ messages in thread
From: Rhyland Klein @ 2016-05-18 19:58 UTC (permalink / raw)
To: Rob Herring, Sasha Levin, Gavin Shan; +Cc: LKML, Grant Likely, devicetree
On 5/18/2016 3:36 PM, Rob Herring wrote:
> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>> Hi Rhyland,
>>
>> I'm seeing a crash on boot that seems to have been caused by
>> "drivers/of: Fix depth when unflattening devicetree":
>>
>> [ 61.145229] ==================================================================
>>
>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>
> The following appears to fix it for me. Rhyland, please confirm.
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 7f38241..888ec2a 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -409,7 +409,7 @@ static int unflatten_dt_nodes(const void *blob,
> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
> nps[depth+1] = dad;
> for (offset = 0;
> - offset >= 0;
> + offset >= 0, depth >= 0;
> offset = fdt_next_node(blob, offset, &depth)) {
> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
> continue;
>
If I try that patch, i see this when compiling:
In function ‘unflatten_dt_nodes’:
warning: left-hand operand of comma expression has no effect
[-Wunused-value]
offset >= 0, depth >= 0;
And if I boot it, then I hit a NULL pointer dereference:
[ 0.000000] Unable to handle kernel NULL pointer dereference at
virtual address 00000058
[ 0.000000] pgd = ffff000008cb4000
[ 0.000000] [00000058] *pgd=000000013fffe003, *pud=000000013fffd003,
*pmd=0000000000000000
[ 0.000000] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 0.000000] Modules linked in:
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted
4.6.0-next-20160518+ #26
[ 0.000000] Hardware name: Google Pixel C (DT)
[ 0.000000] task: ffff000008bdd880 ti: ffff000008bd0000 task.ti:
ffff000008bd0000
[ 0.000000] PC is at unflatten_dt_nodes+0x430/0x598
[ 0.000000] LR is at unflatten_dt_nodes+0x41c/0x598
[ 0.000000] pc : [<ffff0000086633dc>] lr : [<ffff0000086633c8>]
pstate: 800002c5
If I run this on my board, I see unflatten_dt_nodes return from inside
the loop after "populate_node" when called with depth = -1 (returning
mem-base) rather than breaking out of the loop and continuing.
-rhyland
--
nvpublic
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-18 19:58 ` Rhyland Klein
0 siblings, 0 replies; 19+ messages in thread
From: Rhyland Klein @ 2016-05-18 19:58 UTC (permalink / raw)
To: Rob Herring, Sasha Levin, Gavin Shan
Cc: LKML, Grant Likely, devicetree-u79uwXL29TY76Z2rM5mHXA
On 5/18/2016 3:36 PM, Rob Herring wrote:
> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
>> Hi Rhyland,
>>
>> I'm seeing a crash on boot that seems to have been caused by
>> "drivers/of: Fix depth when unflattening devicetree":
>>
>> [ 61.145229] ==================================================================
>>
>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>
> The following appears to fix it for me. Rhyland, please confirm.
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 7f38241..888ec2a 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -409,7 +409,7 @@ static int unflatten_dt_nodes(const void *blob,
> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
> nps[depth+1] = dad;
> for (offset = 0;
> - offset >= 0;
> + offset >= 0, depth >= 0;
> offset = fdt_next_node(blob, offset, &depth)) {
> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
> continue;
>
If I try that patch, i see this when compiling:
In function ‘unflatten_dt_nodes’:
warning: left-hand operand of comma expression has no effect
[-Wunused-value]
offset >= 0, depth >= 0;
And if I boot it, then I hit a NULL pointer dereference:
[ 0.000000] Unable to handle kernel NULL pointer dereference at
virtual address 00000058
[ 0.000000] pgd = ffff000008cb4000
[ 0.000000] [00000058] *pgd=000000013fffe003, *pud=000000013fffd003,
*pmd=0000000000000000
[ 0.000000] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 0.000000] Modules linked in:
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted
4.6.0-next-20160518+ #26
[ 0.000000] Hardware name: Google Pixel C (DT)
[ 0.000000] task: ffff000008bdd880 ti: ffff000008bd0000 task.ti:
ffff000008bd0000
[ 0.000000] PC is at unflatten_dt_nodes+0x430/0x598
[ 0.000000] LR is at unflatten_dt_nodes+0x41c/0x598
[ 0.000000] pc : [<ffff0000086633dc>] lr : [<ffff0000086633c8>]
pstate: 800002c5
If I run this on my board, I see unflatten_dt_nodes return from inside
the loop after "populate_node" when called with depth = -1 (returning
mem-base) rather than breaking out of the loop and continuing.
-rhyland
--
nvpublic
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-18 21:26 ` Rhyland Klein
0 siblings, 0 replies; 19+ messages in thread
From: Rhyland Klein @ 2016-05-18 21:26 UTC (permalink / raw)
To: Rob Herring, Sasha Levin, Gavin Shan; +Cc: LKML, Grant Likely, devicetree
On 5/18/2016 3:58 PM, Rhyland Klein wrote:
> On 5/18/2016 3:36 PM, Rob Herring wrote:
>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>>> Hi Rhyland,
>>>
>>> I'm seeing a crash on boot that seems to have been caused by
>>> "drivers/of: Fix depth when unflattening devicetree":
>>>
>>> [ 61.145229] ==================================================================
>>>
>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>>
>> The following appears to fix it for me. Rhyland, please confirm.
>>
>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>> index 7f38241..888ec2a 100644
>> --- a/drivers/of/fdt.c
>> +++ b/drivers/of/fdt.c
>> @@ -409,7 +409,7 @@ static int unflatten_dt_nodes(const void *blob,
>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>> nps[depth+1] = dad;
>> for (offset = 0;
>> - offset >= 0;
>> + offset >= 0, depth >= 0;
>> offset = fdt_next_node(blob, offset, &depth)) {
>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>> continue;
>>
>
> If I try that patch, i see this when compiling:
>
> In function ‘unflatten_dt_nodes’:
> warning: left-hand operand of comma expression has no effect
> [-Wunused-value]
> offset >= 0, depth >= 0;
>
This patch seems to work for me. I found a bug in my original patch.
Sasha/Rob, can you see if this works for you too:
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 0b5850027bb5..e7a8caac5b27 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
root = dad;
fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
- nps[depth+1] = dad;
+ nps[depth] = dad;
for (offset = 0;
- offset >= 0;
+ offset >= 0 && depth >= 0;
offset = fdt_next_node(blob, offset, &depth)) {
if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
continue;
-rhyland
--
nvpublic
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-18 21:26 ` Rhyland Klein
0 siblings, 0 replies; 19+ messages in thread
From: Rhyland Klein @ 2016-05-18 21:26 UTC (permalink / raw)
To: Rob Herring, Sasha Levin, Gavin Shan
Cc: LKML, Grant Likely, devicetree-u79uwXL29TY76Z2rM5mHXA
On 5/18/2016 3:58 PM, Rhyland Klein wrote:
> On 5/18/2016 3:36 PM, Rob Herring wrote:
>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin-QHcLZuEGTsthl2p70BpVqQ@public.gmane.orgm> wrote:
>>> Hi Rhyland,
>>>
>>> I'm seeing a crash on boot that seems to have been caused by
>>> "drivers/of: Fix depth when unflattening devicetree":
>>>
>>> [ 61.145229] ==================================================================
>>>
>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>>
>> The following appears to fix it for me. Rhyland, please confirm.
>>
>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>> index 7f38241..888ec2a 100644
>> --- a/drivers/of/fdt.c
>> +++ b/drivers/of/fdt.c
>> @@ -409,7 +409,7 @@ static int unflatten_dt_nodes(const void *blob,
>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>> nps[depth+1] = dad;
>> for (offset = 0;
>> - offset >= 0;
>> + offset >= 0, depth >= 0;
>> offset = fdt_next_node(blob, offset, &depth)) {
>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>> continue;
>>
>
> If I try that patch, i see this when compiling:
>
> In function ‘unflatten_dt_nodes’:
> warning: left-hand operand of comma expression has no effect
> [-Wunused-value]
> offset >= 0, depth >= 0;
>
This patch seems to work for me. I found a bug in my original patch.
Sasha/Rob, can you see if this works for you too:
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 0b5850027bb5..e7a8caac5b27 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
root = dad;
fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
- nps[depth+1] = dad;
+ nps[depth] = dad;
for (offset = 0;
- offset >= 0;
+ offset >= 0 && depth >= 0;
offset = fdt_next_node(blob, offset, &depth)) {
if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
continue;
-rhyland
--
nvpublic
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 0:23 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-19 0:23 UTC (permalink / raw)
To: Rhyland Klein; +Cc: Sasha Levin, Gavin Shan, LKML, Grant Likely, devicetree
On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein@nvidia.com> wrote:
> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>>>> Hi Rhyland,
>>>>
>>>> I'm seeing a crash on boot that seems to have been caused by
>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>
>>>> [ 61.145229] ==================================================================
>>>>
>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>>>
>>> The following appears to fix it for me. Rhyland, please confirm.
>>>
>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>> index 7f38241..888ec2a 100644
>>> --- a/drivers/of/fdt.c
>>> +++ b/drivers/of/fdt.c
>>> @@ -409,7 +409,7 @@ static int unflatten_dt_nodes(const void *blob,
>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>> nps[depth+1] = dad;
>>> for (offset = 0;
>>> - offset >= 0;
>>> + offset >= 0, depth >= 0;
>>> offset = fdt_next_node(blob, offset, &depth)) {
>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>> continue;
>>>
>>
>> If I try that patch, i see this when compiling:
>>
>> In function ‘unflatten_dt_nodes’:
>> warning: left-hand operand of comma expression has no effect
>> [-Wunused-value]
>> offset >= 0, depth >= 0;
Doh! However, that does make the unit test pass and I don't see a NULL ptr...
>>
>
> This patch seems to work for me. I found a bug in my original patch.
> Sasha/Rob, can you see if this works for you too:
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 0b5850027bb5..e7a8caac5b27 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>
> root = dad;
> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
> - nps[depth+1] = dad;
> + nps[depth] = dad;
> for (offset = 0;
> - offset >= 0;
> + offset >= 0 && depth >= 0;
> offset = fdt_next_node(blob, offset, &depth)) {
> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
> continue;
This is not work for me. I'm booting x86 with the DT unit test and
KASAN enabled. I suspect our differences are due to different data
after the end of the dtb. Also, I think there may be a bug in
fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
and I think it should be "!(*depth)".
The DT overlay unit tests are also failing. Not sure if that's related.
Rob
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 0:23 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-19 0:23 UTC (permalink / raw)
To: Rhyland Klein
Cc: Sasha Levin, Gavin Shan, LKML, Grant Likely,
devicetree-u79uwXL29TY76Z2rM5mHXA
On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> wrote:
> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>>>> Hi Rhyland,
>>>>
>>>> I'm seeing a crash on boot that seems to have been caused by
>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>
>>>> [ 61.145229] ==================================================================
>>>>
>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>>>
>>> The following appears to fix it for me. Rhyland, please confirm.
>>>
>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>> index 7f38241..888ec2a 100644
>>> --- a/drivers/of/fdt.c
>>> +++ b/drivers/of/fdt.c
>>> @@ -409,7 +409,7 @@ static int unflatten_dt_nodes(const void *blob,
>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>> nps[depth+1] = dad;
>>> for (offset = 0;
>>> - offset >= 0;
>>> + offset >= 0, depth >= 0;
>>> offset = fdt_next_node(blob, offset, &depth)) {
>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>> continue;
>>>
>>
>> If I try that patch, i see this when compiling:
>>
>> In function ‘unflatten_dt_nodes’:
>> warning: left-hand operand of comma expression has no effect
>> [-Wunused-value]
>> offset >= 0, depth >= 0;
Doh! However, that does make the unit test pass and I don't see a NULL ptr...
>>
>
> This patch seems to work for me. I found a bug in my original patch.
> Sasha/Rob, can you see if this works for you too:
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 0b5850027bb5..e7a8caac5b27 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>
> root = dad;
> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
> - nps[depth+1] = dad;
> + nps[depth] = dad;
> for (offset = 0;
> - offset >= 0;
> + offset >= 0 && depth >= 0;
> offset = fdt_next_node(blob, offset, &depth)) {
> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
> continue;
This is not work for me. I'm booting x86 with the DT unit test and
KASAN enabled. I suspect our differences are due to different data
after the end of the dtb. Also, I think there may be a bug in
fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
and I think it should be "!(*depth)".
The DT overlay unit tests are also failing. Not sure if that's related.
Rob
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 1:51 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-19 1:51 UTC (permalink / raw)
To: Rhyland Klein; +Cc: Sasha Levin, Gavin Shan, LKML, Grant Likely, devicetree
On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh@kernel.org> wrote:
> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein@nvidia.com> wrote:
>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>>>>> Hi Rhyland,
>>>>>
>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>
>>>>> [ 61.145229] ==================================================================
>>>>>
>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
[...]
>> This patch seems to work for me. I found a bug in my original patch.
>> Sasha/Rob, can you see if this works for you too:
>>
>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>> index 0b5850027bb5..e7a8caac5b27 100644
>> --- a/drivers/of/fdt.c
>> +++ b/drivers/of/fdt.c
>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>
>> root = dad;
>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>> - nps[depth+1] = dad;
>> + nps[depth] = dad;
>> for (offset = 0;
>> - offset >= 0;
>> + offset >= 0 && depth >= 0;
>> offset = fdt_next_node(blob, offset, &depth)) {
>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>> continue;
>
> This is not work for me. I'm booting x86 with the DT unit test and
> KASAN enabled. I suspect our differences are due to different data
> after the end of the dtb. Also, I think there may be a bug in
> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
> and I think it should be "!(*depth)".
>
> The DT overlay unit tests are also failing. Not sure if that's related.
Seems with the above patch and the fix to fdt_next_node, the problem
is fixed both for KASAN and the DT overlay tests. Trying it out now
with some other configurations.
Rob
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 1:51 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-19 1:51 UTC (permalink / raw)
To: Rhyland Klein
Cc: Sasha Levin, Gavin Shan, LKML, Grant Likely,
devicetree-u79uwXL29TY76Z2rM5mHXA
On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> wrote:
>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
>>>>> Hi Rhyland,
>>>>>
>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>
>>>>> [ 61.145229] ==================================================================
>>>>>
>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
[...]
>> This patch seems to work for me. I found a bug in my original patch.
>> Sasha/Rob, can you see if this works for you too:
>>
>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>> index 0b5850027bb5..e7a8caac5b27 100644
>> --- a/drivers/of/fdt.c
>> +++ b/drivers/of/fdt.c
>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>
>> root = dad;
>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>> - nps[depth+1] = dad;
>> + nps[depth] = dad;
>> for (offset = 0;
>> - offset >= 0;
>> + offset >= 0 && depth >= 0;
>> offset = fdt_next_node(blob, offset, &depth)) {
>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>> continue;
>
> This is not work for me. I'm booting x86 with the DT unit test and
> KASAN enabled. I suspect our differences are due to different data
> after the end of the dtb. Also, I think there may be a bug in
> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
> and I think it should be "!(*depth)".
>
> The DT overlay unit tests are also failing. Not sure if that's related.
Seems with the above patch and the fix to fdt_next_node, the problem
is fixed both for KASAN and the DT overlay tests. Trying it out now
with some other configurations.
Rob
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 11:19 ` Gavin Shan
0 siblings, 0 replies; 19+ messages in thread
From: Gavin Shan @ 2016-05-19 11:19 UTC (permalink / raw)
To: Rob Herring
Cc: Rhyland Klein, Sasha Levin, Gavin Shan, LKML, Grant Likely, devicetree
On Wed, May 18, 2016 at 08:51:59PM -0500, Rob Herring wrote:
>On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh@kernel.org> wrote:
>> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein@nvidia.com> wrote:
>>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>>>>>> Hi Rhyland,
>>>>>>
>>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>>
>>>>>> [ 61.145229] ==================================================================
>>>>>>
>>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>
>[...]
>
>>> This patch seems to work for me. I found a bug in my original patch.
>>> Sasha/Rob, can you see if this works for you too:
>>>
>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>> index 0b5850027bb5..e7a8caac5b27 100644
>>> --- a/drivers/of/fdt.c
>>> +++ b/drivers/of/fdt.c
>>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>>
>>> root = dad;
>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>> - nps[depth+1] = dad;
>>> + nps[depth] = dad;
>>> for (offset = 0;
>>> - offset >= 0;
>>> + offset >= 0 && depth >= 0;
>>> offset = fdt_next_node(blob, offset, &depth)) {
>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>> continue;
>>
>> This is not work for me. I'm booting x86 with the DT unit test and
>> KASAN enabled. I suspect our differences are due to different data
>> after the end of the dtb. Also, I think there may be a bug in
>> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
>> and I think it should be "!(*depth)".
>>
>> The DT overlay unit tests are also failing. Not sure if that's related.
>
>Seems with the above patch and the fix to fdt_next_node, the problem
>is fixed both for KASAN and the DT overlay tests. Trying it out now
>with some other configurations.
>
There're 5 patches I introduced to drivers/of/fdt.c (A). Rhyland had
one patch based on them (B). The code change in this thread is (C).
I tried several cases as below.
There is one failing case caused by something we don't know yet. I
will do some invetigation unless it's not a issue or a known issue
of unittest itself.
[1]. (A) excluded, (B) excluded, (C) excluded
=============================================
device-tree: Duplicate name in testcase-data, renamed to "duplicate-name#1"
### dt-test ### start of unittest - you will see error messages
/testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
/testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
/testcase-data/phandle-tests/consumer-a: could not find phandle
/testcase-data/phandle-tests/consumer-a: could not find phandle
/testcase-data/phandle-tests/consumer-a: arguments longer than property
/testcase-data/phandle-tests/consumer-a: arguments longer than property
irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
### dt-test ### FAIL of_unittest_platform_populate():783 device deferred probe failed - 0
overlay_is_topmost: #5 clashes #6 @/testcase-data/overlay-node/test-bus/test-unittest8
overlay_removal_is_ok: overlay #5 is not topmost
of_overlay_destroy: removal check failed for overlay #5
### dt-test ### end of unittest - 147 passed, 1 failed
[2]. (A) included, (B) exsluded, (C) excluded
=============================================
Same output as [1]
[3]. (A) included, (B) included, (C) excluded
=============================================
System fails to boot
[4]. (A) included, (B) included, (C) included
=============================================
Same output as [1] and [2].
(A): 8326241 drivers/of: Return allocated memory from of_fdt_unflatten_tree()
c426323 drivers/of: Specify parent node in of_fdt_unflatten_tree()
947c82c drivers/of: Rename unflatten_dt_node()
5080008 drivers/of: Avoid recursively calling unflatten_dt_node()
dfbd4c6 drivers/of: Split unflatten_dt_node()
(B): ac78f9b drivers/of: Fix depth when unflattening devicetree
Thanks,
Gavin
>Rob
>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 11:19 ` Gavin Shan
0 siblings, 0 replies; 19+ messages in thread
From: Gavin Shan @ 2016-05-19 11:19 UTC (permalink / raw)
To: Rob Herring
Cc: Rhyland Klein, Sasha Levin, Gavin Shan, LKML, Grant Likely,
devicetree-u79uwXL29TY76Z2rM5mHXA
On Wed, May 18, 2016 at 08:51:59PM -0500, Rob Herring wrote:
>On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> wrote:
>>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
>>>>>> Hi Rhyland,
>>>>>>
>>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>>
>>>>>> [ 61.145229] ==================================================================
>>>>>>
>>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>
>[...]
>
>>> This patch seems to work for me. I found a bug in my original patch.
>>> Sasha/Rob, can you see if this works for you too:
>>>
>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>> index 0b5850027bb5..e7a8caac5b27 100644
>>> --- a/drivers/of/fdt.c
>>> +++ b/drivers/of/fdt.c
>>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>>
>>> root = dad;
>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>> - nps[depth+1] = dad;
>>> + nps[depth] = dad;
>>> for (offset = 0;
>>> - offset >= 0;
>>> + offset >= 0 && depth >= 0;
>>> offset = fdt_next_node(blob, offset, &depth)) {
>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>> continue;
>>
>> This is not work for me. I'm booting x86 with the DT unit test and
>> KASAN enabled. I suspect our differences are due to different data
>> after the end of the dtb. Also, I think there may be a bug in
>> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
>> and I think it should be "!(*depth)".
>>
>> The DT overlay unit tests are also failing. Not sure if that's related.
>
>Seems with the above patch and the fix to fdt_next_node, the problem
>is fixed both for KASAN and the DT overlay tests. Trying it out now
>with some other configurations.
>
There're 5 patches I introduced to drivers/of/fdt.c (A). Rhyland had
one patch based on them (B). The code change in this thread is (C).
I tried several cases as below.
There is one failing case caused by something we don't know yet. I
will do some invetigation unless it's not a issue or a known issue
of unittest itself.
[1]. (A) excluded, (B) excluded, (C) excluded
=============================================
device-tree: Duplicate name in testcase-data, renamed to "duplicate-name#1"
### dt-test ### start of unittest - you will see error messages
/testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
/testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
/testcase-data/phandle-tests/consumer-a: could not find phandle
/testcase-data/phandle-tests/consumer-a: could not find phandle
/testcase-data/phandle-tests/consumer-a: arguments longer than property
/testcase-data/phandle-tests/consumer-a: arguments longer than property
irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
### dt-test ### FAIL of_unittest_platform_populate():783 device deferred probe failed - 0
overlay_is_topmost: #5 clashes #6 @/testcase-data/overlay-node/test-bus/test-unittest8
overlay_removal_is_ok: overlay #5 is not topmost
of_overlay_destroy: removal check failed for overlay #5
### dt-test ### end of unittest - 147 passed, 1 failed
[2]. (A) included, (B) exsluded, (C) excluded
=============================================
Same output as [1]
[3]. (A) included, (B) included, (C) excluded
=============================================
System fails to boot
[4]. (A) included, (B) included, (C) included
=============================================
Same output as [1] and [2].
(A): 8326241 drivers/of: Return allocated memory from of_fdt_unflatten_tree()
c426323 drivers/of: Specify parent node in of_fdt_unflatten_tree()
947c82c drivers/of: Rename unflatten_dt_node()
5080008 drivers/of: Avoid recursively calling unflatten_dt_node()
dfbd4c6 drivers/of: Split unflatten_dt_node()
(B): ac78f9b drivers/of: Fix depth when unflattening devicetree
Thanks,
Gavin
>Rob
>
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
2016-05-19 11:19 ` Gavin Shan
@ 2016-05-19 12:48 ` Rob Herring
-1 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-19 12:48 UTC (permalink / raw)
To: Gavin Shan; +Cc: Rhyland Klein, Sasha Levin, LKML, Grant Likely, devicetree
On Thu, May 19, 2016 at 6:19 AM, Gavin Shan <gwshan@linux.vnet.ibm.com> wrote:
> On Wed, May 18, 2016 at 08:51:59PM -0500, Rob Herring wrote:
>>On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh@kernel.org> wrote:
>>> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein@nvidia.com> wrote:
>>>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>>>>>>> Hi Rhyland,
>>>>>>>
>>>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>>>
>>>>>>> [ 61.145229] ==================================================================
>>>>>>>
>>>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>>
>>[...]
>>
>>>> This patch seems to work for me. I found a bug in my original patch.
>>>> Sasha/Rob, can you see if this works for you too:
>>>>
>>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>>> index 0b5850027bb5..e7a8caac5b27 100644
>>>> --- a/drivers/of/fdt.c
>>>> +++ b/drivers/of/fdt.c
>>>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>>>
>>>> root = dad;
>>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>>> - nps[depth+1] = dad;
>>>> + nps[depth] = dad;
>>>> for (offset = 0;
>>>> - offset >= 0;
>>>> + offset >= 0 && depth >= 0;
>>>> offset = fdt_next_node(blob, offset, &depth)) {
>>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>>> continue;
>>>
>>> This is not work for me. I'm booting x86 with the DT unit test and
>>> KASAN enabled. I suspect our differences are due to different data
>>> after the end of the dtb. Also, I think there may be a bug in
>>> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
>>> and I think it should be "!(*depth)".
>>>
>>> The DT overlay unit tests are also failing. Not sure if that's related.
>>
>>Seems with the above patch and the fix to fdt_next_node, the problem
>>is fixed both for KASAN and the DT overlay tests. Trying it out now
>>with some other configurations.
>>
>
> There're 5 patches I introduced to drivers/of/fdt.c (A). Rhyland had
> one patch based on them (B). The code change in this thread is (C).
> I tried several cases as below.
>
> There is one failing case caused by something we don't know yet. I
> will do some invetigation unless it's not a issue or a known issue
> of unittest itself.
>
> [1]. (A) excluded, (B) excluded, (C) excluded
> =============================================
> device-tree: Duplicate name in testcase-data, renamed to "duplicate-name#1"
> ### dt-test ### start of unittest - you will see error messages
> /testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
> /testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
> /testcase-data/phandle-tests/consumer-a: could not find phandle
> /testcase-data/phandle-tests/consumer-a: could not find phandle
> /testcase-data/phandle-tests/consumer-a: arguments longer than property
> /testcase-data/phandle-tests/consumer-a: arguments longer than property
> irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
> irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
> ### dt-test ### FAIL of_unittest_platform_populate():783 device deferred probe failed - 0
Humm, I'm not seeing this one.
> overlay_is_topmost: #5 clashes #6 @/testcase-data/overlay-node/test-bus/test-unittest8
> overlay_removal_is_ok: overlay #5 is not topmost
> of_overlay_destroy: removal check failed for overlay #5
> ### dt-test ### end of unittest - 147 passed, 1 failed
>
> [2]. (A) included, (B) exsluded, (C) excluded
> =============================================
> Same output as [1]
>
> [3]. (A) included, (B) included, (C) excluded
> =============================================
> System fails to boot
>
> [4]. (A) included, (B) included, (C) included
> =============================================
> Same output as [1] and [2].
For C, this includes the fix to depth in fdt_next_node?
While case 2 works for you, do you agree that there is an off by one
error and initially fdt_next_node should be called with depth=0?
Rob
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 12:48 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-19 12:48 UTC (permalink / raw)
To: Gavin Shan
Cc: Rhyland Klein, Sasha Levin, LKML, Grant Likely,
devicetree-u79uwXL29TY76Z2rM5mHXA
On Thu, May 19, 2016 at 6:19 AM, Gavin Shan <gwshan-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> wrote:
> On Wed, May 18, 2016 at 08:51:59PM -0500, Rob Herring wrote:
>>On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>>> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> wrote:
>>>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
>>>>>>> Hi Rhyland,
>>>>>>>
>>>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>>>
>>>>>>> [ 61.145229] ==================================================================
>>>>>>>
>>>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>>
>>[...]
>>
>>>> This patch seems to work for me. I found a bug in my original patch.
>>>> Sasha/Rob, can you see if this works for you too:
>>>>
>>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>>> index 0b5850027bb5..e7a8caac5b27 100644
>>>> --- a/drivers/of/fdt.c
>>>> +++ b/drivers/of/fdt.c
>>>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>>>
>>>> root = dad;
>>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>>> - nps[depth+1] = dad;
>>>> + nps[depth] = dad;
>>>> for (offset = 0;
>>>> - offset >= 0;
>>>> + offset >= 0 && depth >= 0;
>>>> offset = fdt_next_node(blob, offset, &depth)) {
>>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>>> continue;
>>>
>>> This is not work for me. I'm booting x86 with the DT unit test and
>>> KASAN enabled. I suspect our differences are due to different data
>>> after the end of the dtb. Also, I think there may be a bug in
>>> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
>>> and I think it should be "!(*depth)".
>>>
>>> The DT overlay unit tests are also failing. Not sure if that's related.
>>
>>Seems with the above patch and the fix to fdt_next_node, the problem
>>is fixed both for KASAN and the DT overlay tests. Trying it out now
>>with some other configurations.
>>
>
> There're 5 patches I introduced to drivers/of/fdt.c (A). Rhyland had
> one patch based on them (B). The code change in this thread is (C).
> I tried several cases as below.
>
> There is one failing case caused by something we don't know yet. I
> will do some invetigation unless it's not a issue or a known issue
> of unittest itself.
>
> [1]. (A) excluded, (B) excluded, (C) excluded
> =============================================
> device-tree: Duplicate name in testcase-data, renamed to "duplicate-name#1"
> ### dt-test ### start of unittest - you will see error messages
> /testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
> /testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
> /testcase-data/phandle-tests/consumer-a: could not find phandle
> /testcase-data/phandle-tests/consumer-a: could not find phandle
> /testcase-data/phandle-tests/consumer-a: arguments longer than property
> /testcase-data/phandle-tests/consumer-a: arguments longer than property
> irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
> irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
> ### dt-test ### FAIL of_unittest_platform_populate():783 device deferred probe failed - 0
Humm, I'm not seeing this one.
> overlay_is_topmost: #5 clashes #6 @/testcase-data/overlay-node/test-bus/test-unittest8
> overlay_removal_is_ok: overlay #5 is not topmost
> of_overlay_destroy: removal check failed for overlay #5
> ### dt-test ### end of unittest - 147 passed, 1 failed
>
> [2]. (A) included, (B) exsluded, (C) excluded
> =============================================
> Same output as [1]
>
> [3]. (A) included, (B) included, (C) excluded
> =============================================
> System fails to boot
>
> [4]. (A) included, (B) included, (C) included
> =============================================
> Same output as [1] and [2].
For C, this includes the fix to depth in fdt_next_node?
While case 2 works for you, do you agree that there is an off by one
error and initially fdt_next_node should be called with depth=0?
Rob
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 14:20 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-19 14:20 UTC (permalink / raw)
To: Rhyland Klein; +Cc: Sasha Levin, Gavin Shan, LKML, Grant Likely, devicetree
On Wed, May 18, 2016 at 8:51 PM, Rob Herring <robh@kernel.org> wrote:
> On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh@kernel.org> wrote:
>> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein@nvidia.com> wrote:
>>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>>>>>> Hi Rhyland,
>>>>>>
>>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>>
>>>>>> [ 61.145229] ==================================================================
>>>>>>
>>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>
> [...]
>
>>> This patch seems to work for me. I found a bug in my original patch.
>>> Sasha/Rob, can you see if this works for you too:
>>>
>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>> index 0b5850027bb5..e7a8caac5b27 100644
>>> --- a/drivers/of/fdt.c
>>> +++ b/drivers/of/fdt.c
>>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>>
>>> root = dad;
>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>> - nps[depth+1] = dad;
>>> + nps[depth] = dad;
>>> for (offset = 0;
>>> - offset >= 0;
>>> + offset >= 0 && depth >= 0;
>>> offset = fdt_next_node(blob, offset, &depth)) {
>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>> continue;
>>
>> This is not work for me. I'm booting x86 with the DT unit test and
>> KASAN enabled. I suspect our differences are due to different data
>> after the end of the dtb. Also, I think there may be a bug in
>> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
>> and I think it should be "!(*depth)".
I take that back. Your change does work for me. Must have had something stale.
>> The DT overlay unit tests are also failing. Not sure if that's related.
>
> Seems with the above patch and the fix to fdt_next_node, the problem
> is fixed both for KASAN and the DT overlay tests. Trying it out now
> with some other configurations.
fdt_next_node is in fact correct. Changing it caused failures in the
dtc unit tests.
So I have squashed the above fix into your original fix and pushed
that out to -next. kernelci.org is also seeing some failures due to
this. I'll give this another day or so before sending to Linus.
Rob
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
@ 2016-05-19 14:20 ` Rob Herring
0 siblings, 0 replies; 19+ messages in thread
From: Rob Herring @ 2016-05-19 14:20 UTC (permalink / raw)
To: Rhyland Klein
Cc: Sasha Levin, Gavin Shan, LKML, Grant Likely,
devicetree-u79uwXL29TY76Z2rM5mHXA
On Wed, May 18, 2016 at 8:51 PM, Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org> wrote:
>>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> wrote:
>>>>>> Hi Rhyland,
>>>>>>
>>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>>
>>>>>> [ 61.145229] ==================================================================
>>>>>>
>>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>
> [...]
>
>>> This patch seems to work for me. I found a bug in my original patch.
>>> Sasha/Rob, can you see if this works for you too:
>>>
>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>> index 0b5850027bb5..e7a8caac5b27 100644
>>> --- a/drivers/of/fdt.c
>>> +++ b/drivers/of/fdt.c
>>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>>
>>> root = dad;
>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>> - nps[depth+1] = dad;
>>> + nps[depth] = dad;
>>> for (offset = 0;
>>> - offset >= 0;
>>> + offset >= 0 && depth >= 0;
>>> offset = fdt_next_node(blob, offset, &depth)) {
>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>> continue;
>>
>> This is not work for me. I'm booting x86 with the DT unit test and
>> KASAN enabled. I suspect our differences are due to different data
>> after the end of the dtb. Also, I think there may be a bug in
>> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
>> and I think it should be "!(*depth)".
I take that back. Your change does work for me. Must have had something stale.
>> The DT overlay unit tests are also failing. Not sure if that's related.
>
> Seems with the above patch and the fix to fdt_next_node, the problem
> is fixed both for KASAN and the DT overlay tests. Trying it out now
> with some other configurations.
fdt_next_node is in fact correct. Changing it caused failures in the
dtc unit tests.
So I have squashed the above fix into your original fix and pushed
that out to -next. kernelci.org is also seeing some failures due to
this. I'll give this another day or so before sending to Linus.
Rob
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: drivers/of: crash on boot
2016-05-19 12:48 ` Rob Herring
(?)
@ 2016-05-20 2:40 ` Gavin Shan
-1 siblings, 0 replies; 19+ messages in thread
From: Gavin Shan @ 2016-05-20 2:40 UTC (permalink / raw)
To: Rob Herring
Cc: Gavin Shan, Rhyland Klein, Sasha Levin, LKML, Grant Likely, devicetree
On Thu, May 19, 2016 at 07:48:18AM -0500, Rob Herring wrote:
>On Thu, May 19, 2016 at 6:19 AM, Gavin Shan <gwshan@linux.vnet.ibm.com> wrote:
>> On Wed, May 18, 2016 at 08:51:59PM -0500, Rob Herring wrote:
>>>On Wed, May 18, 2016 at 7:23 PM, Rob Herring <robh@kernel.org> wrote:
>>>> On Wed, May 18, 2016 at 4:26 PM, Rhyland Klein <rklein@nvidia.com> wrote:
>>>>> On 5/18/2016 3:58 PM, Rhyland Klein wrote:
>>>>>> On 5/18/2016 3:36 PM, Rob Herring wrote:
>>>>>>> On Wed, May 18, 2016 at 10:34 AM, Sasha Levin <sasha.levin@oracle.com> wrote:
>>>>>>>> Hi Rhyland,
>>>>>>>>
>>>>>>>> I'm seeing a crash on boot that seems to have been caused by
>>>>>>>> "drivers/of: Fix depth when unflattening devicetree":
>>>>>>>>
>>>>>>>> [ 61.145229] ==================================================================
>>>>>>>>
>>>>>>>> [ 61.147588] BUG: KASAN: stack-out-of-bounds in unflatten_dt_nodes+0x11d2/0x1290 at addr ffff88005b30777c
>>>
>>>[...]
>>>
>>>>> This patch seems to work for me. I found a bug in my original patch.
>>>>> Sasha/Rob, can you see if this works for you too:
>>>>>
>>>>> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
>>>>> index 0b5850027bb5..e7a8caac5b27 100644
>>>>> --- a/drivers/of/fdt.c
>>>>> +++ b/drivers/of/fdt.c
>>>>> @@ -407,9 +407,9 @@ static int unflatten_dt_nodes(const void *blob,
>>>>>
>>>>> root = dad;
>>>>> fpsizes[depth] = dad ? strlen(of_node_full_name(dad)) : 0;
>>>>> - nps[depth+1] = dad;
>>>>> + nps[depth] = dad;
>>>>> for (offset = 0;
>>>>> - offset >= 0;
>>>>> + offset >= 0 && depth >= 0;
>>>>> offset = fdt_next_node(blob, offset, &depth)) {
>>>>> if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
>>>>> continue;
>>>>
>>>> This is not work for me. I'm booting x86 with the DT unit test and
>>>> KASAN enabled. I suspect our differences are due to different data
>>>> after the end of the dtb. Also, I think there may be a bug in
>>>> fdt_next_node FDT_END handling. The "!depth" seems suspicious to me
>>>> and I think it should be "!(*depth)".
>>>>
>>>> The DT overlay unit tests are also failing. Not sure if that's related.
>>>
>>>Seems with the above patch and the fix to fdt_next_node, the problem
>>>is fixed both for KASAN and the DT overlay tests. Trying it out now
>>>with some other configurations.
>>>
>>
>> There're 5 patches I introduced to drivers/of/fdt.c (A). Rhyland had
>> one patch based on them (B). The code change in this thread is (C).
>> I tried several cases as below.
>>
>> There is one failing case caused by something we don't know yet. I
>> will do some invetigation unless it's not a issue or a known issue
>> of unittest itself.
>>
>> [1]. (A) excluded, (B) excluded, (C) excluded
>> =============================================
>> device-tree: Duplicate name in testcase-data, renamed to "duplicate-name#1"
>> ### dt-test ### start of unittest - you will see error messages
>> /testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
>> /testcase-data/phandle-tests/consumer-a: could not get #phandle-cells-missing for /testcase-data/phandle-tests/provider1
>> /testcase-data/phandle-tests/consumer-a: could not find phandle
>> /testcase-data/phandle-tests/consumer-a: could not find phandle
>> /testcase-data/phandle-tests/consumer-a: arguments longer than property
>> /testcase-data/phandle-tests/consumer-a: arguments longer than property
>> irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
>> irq: XICS didn't like hwirq-0x1 to VIRQ32 mapping (rc=-22)
>> ### dt-test ### FAIL of_unittest_platform_populate():783 device deferred probe failed - 0
>
>Humm, I'm not seeing this one.
>
Ok. Thanks for confirm. I will do some investigation later.
>> overlay_is_topmost: #5 clashes #6 @/testcase-data/overlay-node/test-bus/test-unittest8
>> overlay_removal_is_ok: overlay #5 is not topmost
>> of_overlay_destroy: removal check failed for overlay #5
>> ### dt-test ### end of unittest - 147 passed, 1 failed
>>
>> [2]. (A) included, (B) exsluded, (C) excluded
>> =============================================
>> Same output as [1]
>>
>> [3]. (A) included, (B) included, (C) excluded
>> =============================================
>> System fails to boot
>>
>> [4]. (A) included, (B) included, (C) included
>> =============================================
>> Same output as [1] and [2].
>
>For C, this includes the fix to depth in fdt_next_node?
>
Nope, (C) does not include the depth change in fdt_next_node().
I don't see we have problem with it in fdt_next_node(). In case
[4] - all code (except @depth fix in fdt_next_node()) included,
the @depth changes properly in unflatten_dt_nodes() as I saw.
>While case 2 works for you, do you agree that there is an off by one
>error and initially fdt_next_node should be called with depth=0?
>
IRhyland's patch (plus his code he sent in this thread) should be
included. The test result is [4] with Rhyland's fixes included.
Otherwise, the check on @depth in fdt_next_node() needs adjustment.
However, fdt_next_node() is used by unflatten_dt_nodes() and others.
So I think the right option is to include Rhyland's fixes and not
change @depth in fdt_next_node().
Thanks,
Gavin
>Rob
>
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2016-05-20 2:41 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-18 15:34 drivers/of: crash on boot Sasha Levin
2016-05-18 15:34 ` Sasha Levin
2016-05-18 19:36 ` Rob Herring
2016-05-18 19:36 ` Rob Herring
2016-05-18 19:58 ` Rhyland Klein
2016-05-18 19:58 ` Rhyland Klein
2016-05-18 21:26 ` Rhyland Klein
2016-05-18 21:26 ` Rhyland Klein
2016-05-19 0:23 ` Rob Herring
2016-05-19 0:23 ` Rob Herring
2016-05-19 1:51 ` Rob Herring
2016-05-19 1:51 ` Rob Herring
2016-05-19 11:19 ` Gavin Shan
2016-05-19 11:19 ` Gavin Shan
2016-05-19 12:48 ` Rob Herring
2016-05-19 12:48 ` Rob Herring
2016-05-20 2:40 ` Gavin Shan
2016-05-19 14:20 ` Rob Herring
2016-05-19 14:20 ` Rob Herring
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.