From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dmitry Osipenko Subject: Re: [PATCH V7 5/7] cpufreq: Register notifiers with the PM QoS framework Date: Mon, 14 Oct 2019 16:01:18 +0300 Message-ID: References: <5ad2624194baa2f53acc1f1e627eb7684c577a19.1562210705.git.viresh.kumar@linaro.org> <2c7a751a58adb4ce6f345dab9714b924504009b6.1562583394.git.viresh.kumar@linaro.org> <20191014094215.kb6q32chgb5sd2nb@vireshk-i7> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <20191014094215.kb6q32chgb5sd2nb@vireshk-i7> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org To: Viresh Kumar Cc: Rafael Wysocki , linux-pm@vger.kernel.org, Vincent Guittot , mka@chromium.org, ulf.hansson@linaro.org, sfr@canb.auug.org.au, pavel@ucw.cz, "Rafael J . Wysocki" , linux-kernel@vger.kernel.org, linux-tegra@vger.kernel.org List-Id: linux-tegra@vger.kernel.org 14.10.2019 12:42, Viresh Kumar пишет: > On 22-09-19, 23:12, Dmitry Osipenko wrote: >> This patch causes use-after-free on a cpufreq driver module reload. Please take a look, thanks in advance. >> >> >> [ 87.952369] ================================================================== >> [ 87.953259] BUG: KASAN: use-after-free in notifier_chain_register+0x4f/0x9c >> [ 87.954031] Read of size 4 at addr e6abbd0c by task modprobe/243 > > Hi Dmitry, > > I tried to reproduce it on my ubuntu on ARM64 setup and I couldn't hit > these issues on v5.4-rc1 with Kasan built in. > > I then enabled Kasan (tried both inline and outline instrumentation) > but I couldn't get past the issues with module insertion. It fails > like this for me: > > root@linaro-developer:~/work# insmod cpufreq-dt.ko > [ 72.985974] cpufreq_dt: Unknown symbol __asan_report_load1_noabort (err -2) > [ 72.993164] cpufreq_dt: Unknown symbol __asan_report_load4_noabort (err -2) > [ 73.000307] cpufreq_dt: Unknown symbol __asan_report_load8_noabort (err -2) > [ 73.007451] cpufreq_dt: Unknown symbol __asan_report_store1_noabort (err -2) > [ 73.014643] cpufreq_dt: Unknown symbol __asan_register_globals (err -2) > [ 73.021409] cpufreq_dt: Unknown symbol __asan_unregister_globals (err -2) > [ 73.028349] cpufreq_dt: Unknown symbol __asan_report_store8_noabort (err -2) > [ 73.035543] cpufreq_dt: Unknown symbol __asan_report_store4_noabort (err -2) > insmod: ERROR: could not insert module cpufreq-dt.ko: Unknown symbol in module > > I tried to search for these errors but couldn't find why I am getting > these and why the symbols are missing here. Can you suggest something > here ? > Sorry, I don't know what's wrong with ARM64. There is no KASAN on ARM32 in upstream yet, I'm using the WIP patches [1]. [1] https://lkml.org/lkml/2019/6/17/1562 BTW, I moved tegra20-cpufreq to use cpufreq-dt recently and the problem presents with the cpufreq-dt: # rmmod cpufreq_dt # modprobe cpufreq_dt [ 31.259483] ================================================================== [ 31.260321] BUG: KASAN: use-after-free in notifier_chain_register+0x2b/0x7c [ 31.261026] Read of size 4 at addr cc30250c by task modprobe/218 [ 31.262067] CPU: 1 PID: 218 Comm: modprobe Tainted: G W 5.4.0-rc2-next-20191011-00194-g02f44e30b215-dirty #2645 [ 31.263347] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) [ 31.264154] [] (unwind_backtrace) from [] (show_stack+0x11/0x14) [ 31.264960] [] (show_stack) from [] (dump_stack+0x89/0x98) [ 31.265804] [] (dump_stack) from [] (print_address_description.constprop.0+0x3d/0x340) [ 31.266830] [] (print_address_description.constprop.0) from [] (__kasan_report+0xe3/0x12c) [ 31.267865] [] (__kasan_report) from [] (notifier_chain_register+0x2b/0x7c) [ 31.268755] [] (notifier_chain_register) from [] (blocking_notifier_chain_register+0x29/0x3c) [ 31.269842] [] (blocking_notifier_chain_register) from [] (dev_pm_qos_add_notifier+0x79/0xf8) [ 31.270948] [] (dev_pm_qos_add_notifier) from [] (cpufreq_online+0x5e1/0x8a4) [ 31.271922] [] (cpufreq_online) from [] (cpufreq_add_dev+0x79/0x80) [ 31.272889] [] (cpufreq_add_dev) from [] (subsys_interface_register+0xc3/0x100) [ 31.273894] [] (subsys_interface_register) from [] (cpufreq_register_driver+0x13b/0x1ec) [ 31.274912] [] (cpufreq_register_driver) from [] (dt_cpufreq_probe+0x89/0xe0 [cpufreq_dt]) [ 31.275924] [] (dt_cpufreq_probe [cpufreq_dt]) from [] (platform_drv_probe+0x49/0x88) [ 31.276889] [] (platform_drv_probe) from [] (really_probe+0x109/0x378) [ 31.277715] [] (really_probe) from [] (driver_probe_device+0x57/0x15c) [ 31.278537] [] (driver_probe_device) from [] (device_driver_attach+0x61/0x64) [ 31.279425] [] (device_driver_attach) from [] (__driver_attach+0x49/0xa0) [ 31.280273] [] (__driver_attach) from [] (bus_for_each_dev+0x69/0x94) [ 31.281087] [] (bus_for_each_dev) from [] (bus_add_driver+0x179/0x1e8) [ 31.281909] [] (bus_add_driver) from [] (driver_register+0x8f/0x130) [ 31.282734] [] (driver_register) from [] (dt_cpufreq_platdrv_init+0x17/0x1000 [cpufreq_dt]) [ 31.283761] [] (dt_cpufreq_platdrv_init [cpufreq_dt]) from [] (do_one_initcall+0x4d/0x280) [ 31.284759] [] (do_one_initcall) from [] (do_init_module+0xb9/0x28c) [ 31.285561] [] (do_init_module) from [] (load_module+0x2895/0x2c04) [ 31.286347] [] (load_module) from [] (sys_finit_module+0x7b/0x8c) [ 31.287117] [] (sys_finit_module) from [] (ret_fast_syscall+0x1/0x26) [ 31.287901] Exception stack(0xcabb3fa8 to 0xcabb3ff0) [ 31.288406] 3fa0: 0003f348 00000001 00000003 0002b744 00000000 b6b31e74 [ 31.289200] 3fc0: 0003f348 00000001 94ccfd00 0000017b 0003f3f0 00000000 0003f348 00040010 [ 31.290029] 3fe0: b6b31df8 b6b31de8 00022534 aec752f0 [ 31.290698] Allocated by task 181: [ 31.291065] __kasan_kmalloc.constprop.0+0x7b/0x84 [ 31.291565] cpufreq_online+0x55f/0x8a4 [ 31.291959] cpufreq_add_dev+0x79/0x80 [ 31.292351] subsys_interface_register+0xc3/0x100 [ 31.292830] cpufreq_register_driver+0x13b/0x1ec [ 31.293335] dt_cpufreq_probe+0x89/0xe0 [cpufreq_dt] [ 31.293832] platform_drv_probe+0x49/0x88 [ 31.294245] really_probe+0x109/0x378 [ 31.294623] driver_probe_device+0x57/0x15c [ 31.295048] device_driver_attach+0x61/0x64 [ 31.295472] __driver_attach+0x49/0xa0 [ 31.295854] bus_for_each_dev+0x69/0x94 [ 31.296244] bus_add_driver+0x179/0x1e8 [ 31.296636] driver_register+0x8f/0x130 [ 31.297047] dt_cpufreq_platdrv_init+0x17/0x1000 [cpufreq_dt] [ 31.297616] do_one_initcall+0x4d/0x280 [ 31.298013] do_init_module+0xb9/0x28c [ 31.298397] load_module+0x2895/0x2c04 [ 31.298780] sys_finit_module+0x7b/0x8c [ 31.299167] ret_fast_syscall+0x1/0x26 [ 31.299548] 0xb6c2ac60 [ 31.299967] Freed by task 214: [ 31.300288] __kasan_slab_free+0xb7/0xe0 [ 31.300686] kfree+0x71/0x1f4 [ 31.301001] subsys_interface_unregister+0xad/0xf0 [ 31.338959] cpufreq_unregister_driver+0x2f/0x7c [ 31.377102] dt_cpufreq_remove+0x15/0x18 [cpufreq_dt] [ 31.414885] platform_drv_remove+0x27/0x34 [ 31.452644] device_release_driver_internal+0xdf/0x1a8 [ 31.490404] driver_detach+0x85/0xf8 [ 31.527682] bus_remove_driver+0x53/0xb0 [ 31.564827] dt_cpufreq_platdrv_exit+0x9/0xb28 [cpufreq_dt] [ 31.601736] sys_delete_module+0x117/0x1a4 [ 31.638575] ret_fast_syscall+0x1/0x26 [ 31.675041] 0xb6cafff4 [ 31.746517] The buggy address belongs to the object at cc302400 which belongs to the cache kmalloc-512 of size 512 [ 31.817855] The buggy address is located 268 bytes inside of 512-byte region [cc302400, cc302600) [ 31.888496] The buggy address belongs to the page: [ 31.923247] page:d291a000 refcount:1 mapcount:0 mapping:ce001a00 index:0x0 compound_mapcount: 0 [ 31.958247] flags: 0x10200(slab|head) [ 31.992944] raw: 00010200 00000100 00000122 ce001a00 00000000 00100010 ffffffff 00000001 [ 32.027763] page dumped because: kasan: bad access detected [ 32.095965] Memory state around the buggy address: [ 32.129904] cc302400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.163593] cc302480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.196538] >cc302500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.229052] ^ [ 32.260939] cc302580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.292881] cc302600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.324296] ================================================================== [ 32.355594] Disabling lock debugging due to kernel taint [ 32.462151] ------------[ cut here ]------------ [ 32.492881] WARNING: CPU: 1 PID: 218 at lib/refcount.c:156 dev_pm_opp_of_add_table+0x59/0x128 [ 32.523741] refcount_t: increment on 0; use-after-free. [ 32.554329] Modules linked in: cpufreq_dt(+) tegra30_devfreq [last unloaded: cpufreq_dt] [ 32.585233] CPU: 1 PID: 218 Comm: modprobe Tainted: G B W 5.4.0-rc2-next-20191011-00194-g02f44e30b215-dirty #2645 [ 32.646692] Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) [ 32.677493] [] (unwind_backtrace) from [] (show_stack+0x11/0x14) [ 32.708460] [] (show_stack) from [] (dump_stack+0x89/0x98) [ 32.739392] [] (dump_stack) from [] (__warn+0x10f/0x110) [ 32.770049] [] (__warn) from [] (warn_slowpath_fmt+0x61/0x78) [ 32.800656] [] (warn_slowpath_fmt) from [] (dev_pm_opp_of_add_table+0x59/0x128) [ 32.860732] [] (dev_pm_opp_of_add_table) from [] (dev_pm_opp_of_cpumask_add_table+0x31/0x88) [ 32.921247] [] (dev_pm_opp_of_cpumask_add_table) from [] (cpufreq_init+0xd9/0x280 [cpufreq_dt]) [ 32.982732] [] (cpufreq_init [cpufreq_dt]) from [] (cpufreq_online+0x37f/0x8a4) [ 33.045107] [] (cpufreq_online) from [] (cpufreq_add_dev+0x79/0x80) [ 33.077037] [] (cpufreq_add_dev) from [] (subsys_interface_register+0xc3/0x100) [ 33.140128] [] (subsys_interface_register) from [] (cpufreq_register_driver+0x13b/0x1ec) [ 33.204911] [] (cpufreq_register_driver) from [] (dt_cpufreq_probe+0x89/0xe0 [cpufreq_dt]) [ 33.271766] [] (dt_cpufreq_probe [cpufreq_dt]) from [] (platform_drv_probe+0x49/0x88) [ 33.340156] [] (platform_drv_probe) from [] (really_probe+0x109/0x378) [ 33.375275] [] (really_probe) from [] (driver_probe_device+0x57/0x15c) [ 33.410559] [] (driver_probe_device) from [] (device_driver_attach+0x61/0x64) [ 33.446244] [] (device_driver_attach) from [] (__driver_attach+0x49/0xa0) [ 33.482238] [] (__driver_attach) from [] (bus_for_each_dev+0x69/0x94) [ 33.518513] [] (bus_for_each_dev) from [] (bus_add_driver+0x179/0x1e8) [ 33.555099] [] (bus_add_driver) from [] (driver_register+0x8f/0x130) [ 33.592015] [] (driver_register) from [] (dt_cpufreq_platdrv_init+0x17/0x1000 [cpufreq_dt]) [ 33.666547] [] (dt_cpufreq_platdrv_init [cpufreq_dt]) from [] (do_one_initcall+0x4d/0x280) [ 33.742553] [] (do_one_initcall) from [] (do_init_module+0xb9/0x28c) [ 33.781507] [] (do_init_module) from [] (load_module+0x2895/0x2c04) [ 33.820735] [] (load_module) from [] (sys_finit_module+0x7b/0x8c) [ 33.860308] [] (sys_finit_module) from [] (ret_fast_syscall+0x1/0x26) [ 33.900121] Exception stack(0xcabb3fa8 to 0xcabb3ff0) [ 33.940062] 3fa0: 0003f348 00000001 00000003 0002b744 00000000 b6b31e74 [ 33.980876] 3fc0: 0003f348 00000001 94ccfd00 0000017b 0003f3f0 00000000 0003f348 00040010 [ 34.021838] 3fe0: b6b31df8 b6b31de8 00022534 aec752f0 [ 34.062931] ---[ end trace f68728a0d3053b54 ]---