BUG: KASAN: slab-out-of-bounds in acpi_cppc_processor_probe+0x15c/0xa50

From: Mike Galbraith
Date: Fri Apr 16 2021 - 10:16:04 EST


[ 6.343387] BUG: KASAN: slab-out-of-bounds in acpi_cppc_processor_probe+0x15c/0xa50
[ 6.343474] Read of size 4 at addr ffff888120cf1630 by task swapper/0/1

[ 6.343565] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G I 5.12.0.g8b1fdf9-tip #2
[ 6.343654] Hardware name: HP HP Spectre x360 Convertible/804F, BIOS F.47 11/22/2017
[ 6.343735] Call Trace:
[ 6.343766] ? acpi_cppc_processor_probe+0x15c/0xa50
[ 6.343824] dump_stack+0x8a/0xb5
[ 6.343865] print_address_description.constprop.0+0x16/0xa0
[ 6.343931] kasan_report+0xcb/0x110
[ 6.343974] ? acpi_cppc_processor_probe+0x15c/0xa50
[ 6.344032] acpi_cppc_processor_probe+0x15c/0xa50
[ 6.344086] ? mutex_unlock+0x1d/0x40
[ 6.344130] ? kernfs_add_one+0x1b1/0x210
[ 6.344177] ? __might_sleep+0x31/0xd0
[ 6.344223] ? acpi_get_psd_map+0x2d0/0x2d0
[ 6.344271] ? mutex_lock+0x91/0xd0
[ 6.344313] __acpi_processor_start+0x4e/0x150
[ 6.344364] acpi_processor_start+0x3d/0x60
[ 6.344412] really_probe+0x182/0x6c0
[ 6.344458] driver_probe_device+0x13f/0x1d0
[ 6.346259] device_driver_attach+0x110/0x120
[ 6.347081] ? device_driver_attach+0x120/0x120
[ 6.347081] __driver_attach+0xae/0x190
[ 6.347081] ? device_driver_attach+0x120/0x120
[ 6.347081] bus_for_each_dev+0xd8/0x120
[ 6.347081] ? subsys_dev_iter_exit+0x10/0x10
[ 6.347081] bus_add_driver+0x1f8/0x2e0
[ 6.347081] driver_register+0x10f/0x190
[ 6.347081] acpi_processor_driver_init+0x2f/0xc3
[ 6.347081] ? acpi_pci_slot_init+0x11/0x11
[ 6.347081] do_one_initcall+0x71/0x260
[ 6.347081] ? trace_event_raw_event_initcall_finish+0x120/0x120
[ 6.347081] ? parameq+0x90/0x90
[ 6.347081] ? kasan_unpoison+0x21/0x50
[ 6.347081] ? __kasan_slab_alloc+0x24/0x70
[ 6.347081] do_initcalls+0xff/0x129
[ 6.347081] kernel_init_freeable+0x19c/0x1ce
[ 6.347081] ? rest_init+0xc6/0xc6
[ 6.347081] kernel_init+0xd/0x11a
[ 6.347081] ret_from_fork+0x1f/0x30

[ 6.347081] Allocated by task 1:
[ 6.347081] kasan_save_stack+0x1b/0x40
[ 6.347081] __kasan_kmalloc+0x7a/0x90
[ 6.347081] acpi_ut_initialize_buffer+0x41/0x8b
[ 6.347081] acpi_evaluate_object+0x306/0x395
[ 6.347081] acpi_evaluate_object_typed+0xd4/0x201
[ 6.347081] acpi_cppc_processor_probe+0xa0/0xa50
[ 6.347081] __acpi_processor_start+0x4e/0x150
[ 6.347081] acpi_processor_start+0x3d/0x60
[ 6.347081] really_probe+0x182/0x6c0
[ 6.347081] driver_probe_device+0x13f/0x1d0
[ 6.347081] device_driver_attach+0x110/0x120
[ 6.347081] __driver_attach+0xae/0x190
[ 6.347081] bus_for_each_dev+0xd8/0x120
[ 6.347081] bus_add_driver+0x1f8/0x2e0
[ 6.347081] driver_register+0x10f/0x190
[ 6.347081] acpi_processor_driver_init+0x2f/0xc3
[ 6.347081] do_one_initcall+0x71/0x260
[ 6.347081] do_initcalls+0xff/0x129
[ 6.347081] kernel_init_freeable+0x19c/0x1ce
[ 6.347081] kernel_init+0xd/0x11a
[ 6.347081] ret_from_fork+0x1f/0x30

[ 6.347081] The buggy address belongs to the object at ffff888120cf1600
which belongs to the cache kmalloc-64 of size 64
[ 6.347081] The buggy address is located 48 bytes inside of
64-byte region [ffff888120cf1600, ffff888120cf1640)
[ 6.347081] The buggy address belongs to the page:
[ 6.347081] page:000000001f073982 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x120cf1
[ 6.347081] flags: 0x8000000000000200(slab)
[ 6.347081] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100042640
[ 6.347081] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 6.347081] page dumped because: kasan: bad access detected

[ 6.347081] Memory state around the buggy address:
[ 6.347081] ffff888120cf1500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 6.347081] ffff888120cf1580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 6.347081] >ffff888120cf1600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 6.347081] ^
[ 6.347081] ffff888120cf1680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 6.347081] ffff888120cf1700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc