Re: Needed in 5.4.y: [PATCH 5.10 055/126] ACPI: tables: x86: Reserve memory occupied by ACPI tables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 4/28/2021 12:57 AM, Greg Kroah-Hartman wrote:
On Tue, Apr 27, 2021 at 06:18:05PM -0400, George Kennedy wrote:
CC+ stable@xxxxxxxxxxxxxxx

On 4/27/2021 6:17 PM, George Kennedy wrote:
Hello Greg,

We need the following 2 upstream commits applied to 5.4.y to fix an iBFT
boot failure:

2021-03-29 rafael.j.wysocki@xxxxxxxxx - 1a1c130a 2021-03-23 Rafael J.
Wysocki ACPI: tables: x86: Reserve memory occupied by ACPI tables
2021-04-13 rafael.j.wysocki@xxxxxxxxx - 6998a88 2021-04-13 Rafael J.
Wysocki ACPI: x86: Call acpi_boot_table_init() after
acpi_table_upgrade()

Currently, only the first commit (1a1c130a) is destined for 5.10 & 5.11.

The 2nd commit (6998a88) is needed as well and both commits are needed
in 5.4.y.
Is this a regression (i.e. did this hardware work on older kernels?),
and if so, what commit caused the problem?

These commits are already in 5.10.y, what changed in older kernels to
require this to be backported?

Not sure. With KASAN enabled the bug is exposed, but only during boot as the ACPI tables are freed and their memory re-alloc'd. Silent data corruption occurs if KASAN not enabled.

This is a latent bug that in upstream was more readily exposed with the following commit:

commit 7fef431be9c9ac255838a9578331567b9dba4477
Author: David Hildenbrand <david@xxxxxxxxxx>
Date:   Thu Oct 15 20:09:35 2020 -0700     mm/page_alloc: place pages to tail in __free_pages_core()



This is the failure with latest upstream stable and KASAN enabled:

[   22.986842] OPA Virtual Network Driver - v1.0
[   22.988565] iBFT detected.
[   22.989244] ==================================================================
[   22.990233] BUG: KASAN: use-after-free in ibft_init+0x134/0xb8b
[   22.990233] Read of size 4 at addr ffff8880be451004 by task swapper/0/1
[   22.990233]
[   22.990233] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.4.115-rc1.syzk #1
[   22.990233] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
[   22.990233] Call Trace:
[   22.990233]  dump_stack+0xd4/0x119
[   22.990233]  ? ibft_init+0x134/0xb8b
[   22.990233]  print_address_description.constprop.6+0x20/0x220
[   22.990233]  ? ibft_init+0x134/0xb8b
[   22.990233]  ? ibft_init+0x134/0xb8b
[   22.990233]  __kasan_report.cold.9+0x37/0x77
[   22.990233]  ? ibft_init+0x134/0xb8b
[   22.990233]  kasan_report+0x14/0x20
[   22.990233]  __asan_report_load_n_noabort+0xf/0x20
[   22.990233]  ibft_init+0x134/0xb8b
[   22.990233]  ? dmi_sysfs_init+0x1a5/0x1a5
[   22.990233]  ? dmi_walk+0x72/0x90
[   22.990233]  ? ibft_check_initiator_for+0x159/0x159
[   22.990233]  ? rvt_init_port+0x110/0x110
[   22.990233]  ? ibft_check_initiator_for+0x159/0x159
[   22.990233]  do_one_initcall+0xc3/0x480
[   22.990233]  ? perf_trace_initcall_level+0x410/0x410
[   22.990233]  kernel_init_freeable+0x54c/0x66e
[   22.990233]  ? start_kernel+0x94b/0x94b
[   22.990233]  ? __switch_to_asm+0x34/0x70
[   22.990233]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   22.990233]  ? __kasan_check_write+0x14/0x20
[   22.990233]  ? rest_init+0xe6/0xe6
[   22.990233]  kernel_init+0x16/0x1ca
[   22.990233]  ? rest_init+0xe6/0xe6
[   22.990233]  ret_from_fork+0x35/0x40
[   22.990233]
[   22.990233] The buggy address belongs to the page:
[   22.990233] page:ffffea0002f91440 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1
[   22.990233] flags: 0xfffffc0000000()
[   22.990233] raw: 000fffffc0000000 ffffea0002f914c8 ffffea0002fa4708 0000000000000000 [   22.990233] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[   22.990233] page dumped because: kasan: bad access detected
[   22.990233]
[   22.990233] Memory state around the buggy address:
[   22.990233]  ffff8880be450f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [   22.990233]  ffff8880be450f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [   22.990233] >ffff8880be451000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   22.990233]                    ^
[   22.990233]  ffff8880be451080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [   22.990233]  ffff8880be451100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [   22.990233] ==================================================================
[   22.990233] Disabling lock debugging due to kernel taint
[   23.047129] Kernel panic - not syncing: panic_on_warn set ...
[   23.048110] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G B             5.4.115-rc1v5.4.114-21-gf9824ac.syzk #1 [   23.048110] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
[   23.048110] Call Trace:
[   23.048110]  dump_stack+0xd4/0x119
[   23.048110]  ? ibft_init+0xc3/0xb8b
[   23.048110]  panic+0x28f/0x6ad
[   23.048110]  ? add_taint.cold.9+0x16/0x16
[   23.048110]  ? ibft_init+0x134/0xb8b
[   23.048110]  ? add_taint+0x47/0x90
[   23.048110]  ? add_taint+0x47/0x90
[   23.048110]  ? ibft_init+0x134/0xb8b
[   23.048110]  ? ibft_init+0x134/0xb8b
[   23.048110]  end_report+0x4c/0x54
[   23.048110]  __kasan_report.cold.9+0x55/0x77
[   23.048110]  ? ibft_init+0x134/0xb8b
[   23.048110]  kasan_report+0x14/0x20
[   23.048110]  __asan_report_load_n_noabort+0xf/0x20
[   23.048110]  ibft_init+0x134/0xb8b
[   23.048110]  ? dmi_sysfs_init+0x1a5/0x1a5
[   23.048110]  ? dmi_walk+0x72/0x90
[   23.048110]  ? ibft_check_initiator_for+0x159/0x159
[   23.048110]  ? rvt_init_port+0x110/0x110
[   23.048110]  ? ibft_check_initiator_for+0x159/0x159
[   23.048110]  do_one_initcall+0xc3/0x480
[   23.048110]  ? perf_trace_initcall_level+0x410/0x410
[   23.048110]  kernel_init_freeable+0x54c/0x66e
[   23.048110]  ? start_kernel+0x94b/0x94b
[   23.048110]  ? __switch_to_asm+0x34/0x70
[   23.048110]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   23.048110]  ? __kasan_check_write+0x14/0x20
[   23.048110]  ? rest_init+0xe6/0xe6
[   23.048110]  kernel_init+0x16/0x1ca
[   23.048110]  ? rest_init+0xe6/0xe6
[   23.048110]  ret_from_fork+0x35/0x40
[   23.048110] Dumping ftrace buffer:
[   23.048110] ---------------------------------
[   23.048110] rb_produ-210       3.... 7555323us : ring_buffer_producer_thread: Starting ring buffer hammer [   23.048110] rb_produ-210       3.... 17555348us : ring_buffer_producer_thread: End ring buffer hammer [   23.048110] rb_produ-210       3.... 17640105us : ring_buffer_producer_thread: Running Consumer at nice: 19 [   23.048110] rb_produ-210       3.... 17640111us : ring_buffer_producer_thread: Running Producer at nice: 19 [   23.048110] rb_produ-210       3.... 17640113us : ring_buffer_producer_thread: WARNING!!! This test is running at lowest priority. [   23.048110] rb_produ-210       3.... 17640118us : ring_buffer_producer_thread: Time:     10000017 (usecs) [   23.048110] rb_produ-210       3.... 17640122us : ring_buffer_producer_thread: Overruns: 4460970 [   23.048110] rb_produ-210       3.... 17640129us : ring_buffer_producer_thread: Read:     3807780  (by events) [   23.048110] rb_produ-210       3.... 17640134us : ring_buffer_producer_thread: Entries:  0 [   23.048110] rb_produ-210       3.... 17640137us : ring_buffer_producer_thread: Total:    8268750 [   23.048110] rb_produ-210       3.... 17640142us : ring_buffer_producer_thread: Missed:   0 [   23.048110] rb_produ-210       3.... 17640146us : ring_buffer_producer_thread: Hit:      8268750 [   23.048110] rb_produ-210       3.... 17640150us : ring_buffer_producer_thread: Entries per millisec: 826 [   23.048110] rb_produ-210       3.... 17640154us : ring_buffer_producer_thread: 1210 ns per entry [   23.048110] rb_produ-210       3.... 17640157us : ring_buffer_producer_thread: Sleeping for 10 secs
[   23.048110] ---------------------------------

2021-04-26 gregkh@xxxxxxxxxxxxxxxxxxx - f9824ac 2021-04-26 Greg Kroah-Hartman Linux 5.4.115-rc1

Because the failure occurs during boot, syzkaller did not expose this bug.

George


thanks,

greg k-h




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux