Re: BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 [nct6775_core] (kernel 6.8-rc5, amd64)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 20 Feb 2024 07:45:18 -0800
Guenter Roeck <linux@xxxxxxxxxxxx> wrote:


> Would it be possible to run the stack trace through scripts/decode/stacktrace.sh ?
> I am having trouble associating the backtrace with the actual source.
> 
> Also, did you by any chance try the same configuration on the same system with
> a pre-6.8 kernel ? The source code locations I did find (unless they are completely
> off) point to code that wasn't changed on after v6.7, so it would help to understand
> if this is a new problem or one that is exposed by your board.

Hi Günter!

I tried v6.6 just now and got the issue there too.

./scripts/decode_stacktrace.sh /boot/vmlinuz-6.8.0-rc5-Zen3 < ~ef/dmesg_68-rc5_zen3_v01

gives me:

[...]
nct6775: Found NCT6798D or compatible chip at 0x2e:0x290
BTRFS info (device nvme0n1p7: state M): use lzo compression, level 0
loop: module loaded
==================================================================
BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core
systemd-journald[867]: Collecting audit messages is disabled.
Read of size 2 at addr ffffffffc0863104 by task systemd-modules/868

CPU: 23 PID: 868 Comm: systemd-modules Not tainted 6.8.0-rc5-Zen3 #3
Hardware name: To Be Filled By O.E.M. B550M Pro4/B550M Pro4, BIOS P3.40 01/18/2024
systemd[1]: Mounted dev-hugepages.mount.
Call Trace:
 <TASK>
dump_stack_lvl+0x37/0x52 
print_report+0x17e/0x505 
? nct6775_reg_read (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:352) nct6775
? srso_alias_return_thunk+0x5/0xfbef5 
? nct6775_probe+0x5654/0x6fe9 nct6775_core
kasan_report+0xb9/0xe4 
? nct6775_probe+0x5654/0x6fe9 nct6775_core
nct6775_probe+0x5654/0x6fe9 nct6775_core
? show_tsi_temp+0xa7/0xa7 nct6775_core
? srso_alias_return_thunk+0x5/0xfbef5 
? add_dr+0x77/0x11f 
? srso_alias_return_thunk+0x5/0xfbef5 
? do_raw_spin_unlock+0x5d/0x1b6 
? srso_alias_return_thunk+0x5/0xfbef5 
? srso_alias_return_thunk+0x5/0xfbef5 
? srso_alias_return_thunk+0x5/0xfbef5 
? nct6775_platform_probe (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:974) nct6775
platform_probe+0xe0/0x153 
really_probe+0x28a/0x57b 
? driver_probe_device+0xc7/0xc7 
__driver_probe_device+0x20b/0x265 
? driver_probe_device+0xc7/0xc7 
driver_probe_device+0x45/0xc7 
__device_attach_driver+0x15e/0x1b4 
bus_for_each_drv+0x12c/0x15c 
? __cond_resched+0x58/0x63 
? bus_rescan_devices+0x14/0x14 
? _raw_spin_unlock_irqrestore+0xd/0x1e 
? srso_alias_return_thunk+0x5/0xfbef5 
__device_attach+0x19a/0x241 
? device_driver_attach+0x95/0x95 
? do_raw_spin_unlock+0x5d/0x1b6 
? srso_alias_return_thunk+0x5/0xfbef5 
? srso_alias_return_thunk+0x5/0xfbef5 
bus_probe_device+0x7d/0x14e 
device_add+0x5e9/0xf93 
? get_device_parent+0x336/0x336 
? srso_alias_return_thunk+0x5/0xfbef5 
? __insert_resource+0x2d/0x302 
platform_device_add+0x33b/0x456 
sensors_nct6775_platform_init+0x87b/0x1000 nct6775
 ? 0xffffffffc0887000
? superio_wmi_exit (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:205) nct6775
? superio_outb (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:220) nct6775
? superio_inb (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:229) nct6775
? superio_exit (/usr/src/linux-6.7.4-gentoo/drivers/hwmon/nct6775-platform.c:189) nct6775
? nct6775_asuswmi_read+0xc6/0xc6 nct6775
 ? 0xffffffffc0887000
do_one_initcall+0xf4/0x2a1 
? efi_enabled.constprop.0+0x50/0x50 
? srso_alias_return_thunk+0x5/0xfbef5 
? local_clock_noinstr+0xc/0xa8 
? srso_alias_return_thunk+0x5/0xfbef5 
? srso_alias_return_thunk+0x5/0xfbef5 
? kasan_unpoison+0x3c/0x47 
do_init_module+0x272/0x5a2 
? kfree+0xc8/0x14f 
load_module+0x3529/0x386d 
? module_frob_arch_sections+0x16/0x16 
? __vmalloc_node+0xa9/0xc8 
? mode_strip_umask.isra.0+0x73/0x73 
? init_module_from_file+0xc4/0xfb 
? srso_alias_return_thunk+0x5/0xfbef5 
init_module_from_file+0xc4/0xfb 
? __do_sys_init_module+0x19f/0x19f 
? srso_alias_return_thunk+0x5/0xfbef5 
? do_raw_spin_unlock+0x5d/0x1b6 
__do_sys_finit_module+0x2b8/0x468 
? init_module_from_file+0xfb/0xfb 
do_syscall_64+0x84/0xee 
entry_SYSCALL_64_after_hwframe+0x4b/0x53 
RIP: 0033:0x7f3a1a92d479
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 87 89 0c 00 f7 d8 64 89 01 48
All code
========
   0:	ff c3                	inc    %ebx
   2:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
   9:	00 00 00 
   c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	ret
  33:	48 8b 0d 87 89 0c 00 	mov    0xc8987(%rip),%rcx        # 0xc89c1
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	ret
   9:	48 8b 0d 87 89 0c 00 	mov    0xc8987(%rip),%rcx        # 0xc8997
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
RSP: 002b:00007ffe6900a178 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000055ee345bd630 RCX: 00007f3a1a92d479
RDX: 0000000000000000 RSI: 00007f3a1ad6f70f RDI: 0000000000000008
RBP: 0000000000000000 R08: 00007f3a1a9f6b20 R09: fffffffffffffe98
R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
R13: 00007f3a1ad6f70f R14: 000055ee345bd320 R15: 0000000000000000
 </TASK>

The buggy address belongs to the variable:
_sub_I_65535_1+0x10f60/0xe5c nct6775_core

Memory state around the buggy address:
 ffffffffc0863000: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
 ffffffffc0863080: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
>ffffffffc0863100: 04 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
                   ^
 ffffffffc0863180: 04 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
 ffffffffc0863200: 00 06 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
==================================================================
Disabling lock debugging due to kernel taint
[...]


Regards,
Erhard
[Index of Archives]     [LM Sensors]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Gimp]     [Yosemite News]     [Linux Media]
  Powered by Linux