This bug is triggered by IGT's igt@debugfs_test@read_all_entries on bxt-j3405 and kbl-7260u when running a couple of days old drm-tip. [ 3580.104980] ================================================================== [ 3580.105148] BUG: KASAN: stack-out-of-bounds in string+0x1af/0x1f0 [ 3580.105223] Read of size 1 at addr ffff88022878f8e6 by task debugfs_test/29219 [ 3580.105337] CPU: 1 PID: 29219 Comm: debugfs_test Tainted: G U 4.12.0-rc7-CI-CI_DRM_450+ #1 [ 3580.105345] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./J3455-ITX, BIOS P1.10 09/29/2016 [ 3580.105353] Call Trace: [ 3580.105366] dump_stack+0x67/0x99 [ 3580.105380] print_address_description+0x77/0x290 [ 3580.105392] ? string+0x1af/0x1f0 [ 3580.105403] kasan_report+0x269/0x350 [ 3580.105418] __asan_report_load1_noabort+0x14/0x20 [ 3580.105429] string+0x1af/0x1f0 [ 3580.105446] vsnprintf+0x374/0x1c20 [ 3580.105464] ? pointer+0xa80/0xa80 [ 3580.105489] seq_vprintf+0xbf/0x1a0 [ 3580.105502] ? drm_dp_dpcd_access+0x177/0x1c0 [ 3580.105515] seq_printf+0x8b/0xb0 [ 3580.105526] ? seq_vprintf+0x1a0/0x1a0 [ 3580.105538] ? memcpy+0x45/0x50 [ 3580.105558] drm_dp_downstream_debug+0x1b5/0x450 [ 3580.105573] ? drm_dp_downstream_id+0x20/0x20 [ 3580.105582] ? seq_printf+0x8b/0xb0 [ 3580.105593] ? seq_vprintf+0x1a0/0x1a0 [ 3580.105604] ? drm_mode_object_put+0xc2/0x120 [ 3580.105617] ? drm_connector_list_iter_next+0x124/0x1c0 [ 3580.105734] i915_display_info+0x1308/0x1fc0 [i915] [ 3580.105844] ? intel_seq_print_mode.constprop.14+0x400/0x400 [i915] [ 3580.105873] seq_read+0x322/0x11f0 [ 3580.105897] ? seq_lseek+0x380/0x380 [ 3580.105910] ? lock_acquire+0x143/0x390 [ 3580.105921] ? debugfs_atomic_t_get+0x80/0x80 [ 3580.105945] full_proxy_read+0x102/0x180 [ 3580.105958] ? full_proxy_write+0x180/0x180 [ 3580.105972] ? debug_check_no_obj_freed+0x495/0x760 [ 3580.105983] ? lock_acquire+0x390/0x390 [ 3580.105993] ? debug_check_no_obj_freed+0x15f/0x760 [ 3580.106010] __vfs_read+0xdb/0x600 [ 3580.106026] ? clone_verify_area+0x1c0/0x1c0 [ 3580.106037] ? debug_check_no_obj_freed+0x495/0x760 [ 3580.106063] ? putname+0xbc/0xf0 [ 3580.106076] ? rcu_lockdep_current_cpu_online+0xdc/0x130 [ 3580.106086] ? putname+0xbc/0xf0 [ 3580.106096] ? rcu_read_lock_sched_held+0xa3/0x130 [ 3580.106113] vfs_read+0xfc/0x300 [ 3580.106127] SyS_read+0xcb/0x1b0 [ 3580.106141] ? vfs_copy_file_range+0x960/0x960 [ 3580.106151] ? trace_hardirqs_on_caller+0x287/0x590 [ 3580.106165] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 3580.106183] entry_SYSCALL_64_fastpath+0x1c/0xb1 [ 3580.106193] RIP: 0033:0x7f32163a4500 [ 3580.106201] RSP: 002b:00007ffc29dfe058 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 3580.106217] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f32163a4500 [ 3580.106225] RDX: 000000000000003f RSI: 000000000075c170 RDI: 0000000000000006 [ 3580.106233] RBP: ffffffff81209956 R08: 00007f321638ec38 R09: 0000000000000000 [ 3580.106241] R10: 0000000000000000 R11: 0000000000000246 R12: ffff88022878ff98 [ 3580.106249] R13: ffffffff81cb7c63 R14: ffff88022878ff70 R15: 000000000075c170 [ 3580.106261] ? __this_cpu_preempt_check+0x13/0x20 [ 3580.106272] ? trace_hardirqs_off_caller+0x1d6/0x2c0 [ 3580.106320] The buggy address belongs to the page: [ 3580.106381] page:ffffea0008a1e3c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 3580.106478] flags: 0x8000000000000000() [ 3580.106532] raw: 8000000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 3580.106621] raw: 0000000000000000 dead000000000200 0000000000000000 0000000000000000 [ 3580.106709] page dumped because: kasan: bad access detected [ 3580.106810] Memory state around the buggy address: [ 3580.106882] ffff88022878f780: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f4 f3 f3 [ 3580.106987] ffff88022878f800: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 3580.107093] >ffff88022878f880: f1 f1 f1 f1 02 f4 f4 f4 f2 f2 f2 f2 06 f4 f4 f4 [ 3580.107198] ^ [ 3580.107283] ffff88022878f900: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 3580.107388] ffff88022878f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 [ 3580.107491] ================================================================== [ 3580.107596] Disabling lock debugging due to kernel taint
Full logs: https://intel-gfx-ci.01.org/CI/kasan/kbl-7260u:igt@debugfs_test@read_all_entries.html Bumping the importance because it is potentially usable by ill-intended people.
It's just a small bit of undefined behaviour, not untrusted input -- it should not be attackable. Mika Kuoppola has/had a patch for this the last time we did a trawl with kasan.
(In reply to Martin Peres from comment #1) > ... > Bumping the importance because it is potentially usable by ill-intended > people. (In reply to Chris Wilson from comment #2) > It's just a small bit of undefined behaviour, not untrusted input -- it > should not be attackable. Mika Kuoppola has/had a patch for this the last > time we did a trawl with kasan. Good afternoon, Based on the previous comments, is necessary to change the priority on this bug or is good at highest? Thank you.
We should just get this fixed and move on. Since Mika is now on vacation, I've taken the liberty of sending a patch instead.
Fixed by commit 967003bb2cae121d345fd807eb757d9422229713 Author: Chris Wilson <chris@chris-wilson.co.uk> Date: Thu Jul 20 18:45:32 2017 +0100 drm/dp: Don't trust drm_dp_downstream_id() in drm-misc-fixes
closing
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.