Re: Fwd: [Bug 214867] New: UBSAN: shift-out-of-bounds in drivers/of/unittest.c:1933:36

From: Frank Rowand <frowand.list@gmail.com>
To: Rob Herring <robh+dt@kernel.org>
Cc: "devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"Erhard F." <erhard_f@mailbox.org>
Subject: Re: Fwd: [Bug 214867] New: UBSAN: shift-out-of-bounds in drivers/of/unittest.c:1933:36
Date: Fri, 29 Oct 2021 19:07:53 -0500	[thread overview]
Message-ID: <a83c3242-acc9-03da-d559-04e4baba75ca@gmail.com> (raw)
In-Reply-To: <c474a371-b524-1da8-4a67-e72cf8f2b0f7@gmail.com>

On 10/29/21 6:57 PM, Frank Rowand wrote:
> 
> Reported in bugzilla, forwarding to the mail lists and maintainers.
> 
> -Frank
> 
> 
> -------- Forwarded Message --------
> Subject: [Bug 214867] New: UBSAN: shift-out-of-bounds in drivers/of/unittest.c:1933:36
> Date: Fri, 29 Oct 2021 13:59:02 +0000
> From: bugzilla-daemon@bugzilla.kernel.org
> 
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=214867
> 
>             Bug ID: 214867
>            Summary: UBSAN: shift-out-of-bounds in
>                     drivers/of/unittest.c:1933:36
>            Product: Platform Specific/Hardware
>            Version: 2.5
>     Kernel Version: 5.15-rc7
>           Hardware: PPC-64
>                 OS: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: PPC-64
>           Assignee: platform_ppc-64@kernel-bugs.osdl.org
>           Reporter: erhard_f@mailbox.org
>                 CC: bugzilla.kernel.org@frowand.com
>         Regression: No
> 
> Created attachment 299361
>   --> https://bugzilla.kernel.org/attachment.cgi?id=299361&action=edit
> kernel dmesg (kernel 5.15-rc7, Talos II)
> 
> UBSAN catches this at boot on my Talos II.
> 
> [...]
> ### dt-test ### EXPECT / : GPIO line <<int>> (line-C-input) hogged as input
> ================================================================================
> UBSAN: shift-out-of-bounds in drivers/of/unittest.c:1933:36
> shift exponent -1 is negative
> CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc7-TalosII #1
> Call Trace:
> [c000000004163700] [c0000000008ffaa8] .dump_stack_lvl+0xa4/0x100 (unreliable)
> [c000000004163790] [c0000000008fb46c] .ubsan_epilogue+0x10/0x70
> [c000000004163800] [c0000000008fb270]
> .__ubsan_handle_shift_out_of_bounds+0x1f0/0x34c
> [c000000004163910] [c000000000ad94a0] .of_unittest_untrack_overlay+0x6c/0xe0
> [c0000000041639a0] [c000000002098ff8] .of_unittest+0x4c50/0x59f8
> [c000000004163b60] [c000000000011b5c] .do_one_initcall+0x7c/0x4f0
> [c000000004163c50] [c00000000200300c] .kernel_init_freeable+0x704/0x858
> [c000000004163d90] [c000000000012730] .kernel_init+0x20/0x190
> [c000000004163e10] [c00000000000ce78] .ret_from_kernel_thread+0x58/0x60
> ================================================================================
> ### dt-test ### EXPECT \ : OF: overlay: WARNING: memory leak will occur if
> overlay removed, property: /testcase-data-2/substation@100/status
> [...]
> 

Further comment in Bugzilla are:

----------  comment 1:

 Erhard F. 2021-10-29 14:00:20 UTC

Created attachment 299363 [details]
kernel .config (kernel 5.15-rc7, Talos II)

 # lspci 
0000:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0000:01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Turks XT [Radeon HD 6670/7670]
0000:01:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Turks HDMI Audio [Radeon HD 6500/6600 / 6700M Series]
0001:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0001:01:00.0 Non-Volatile memory controller: Phison Electronics Corporation Device 5008 (rev 01)
0002:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0003:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0003:01:00.0 USB controller: Texas Instruments TUSB73x0 SuperSpeed USB 3.0 xHCI Host Controller (rev 02)
0004:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0004:01:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme BCM5719 Gigabit Ethernet PCIe (rev 01)
0004:01:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme BCM5719 Gigabit Ethernet PCIe (rev 01)
0005:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0005:01:00.0 PCI bridge: ASPEED Technology, Inc. AST1150 PCI-to-PCI Bridge (rev 04)
0005:02:00.0 VGA compatible controller: ASPEED Technology, Inc. ASPEED Graphics Family (rev 41)
0030:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0031:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0032:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)
0033:00:00.0 PCI bridge: IBM POWER9 Host Bridge (PHB4)

----------  comment 2:

[reply] [−] Comment 2 Arnd Bergmann 2021-10-29 14:06:48 UTC

This is the function that triggers it:

static void of_unittest_untrack_overlay(int id)
{
        if (overlay_first_id < 0)
                return;
        id -= overlay_first_id;
        if (WARN_ON(id >= MAX_UNITTEST_OVERLAYS))
                return;
        overlay_id_bits[BIT_WORD(id)] &= ~BIT_MASK(id);
}

My guess is that 'id' is negative here, which means it fails to tigger the
WARN_ON() but ends up still being out of range.

Can you try changing it to 'unsigned int id'?

----------  More info from me, but I did not comment in bugzilla

line 1933 is the final line of of_unittest_untrack_overlay()
(see comment 2 for context):

1933         overlay_id_bits[BIT_WORD(id)] &= ~BIT_MASK(id);