Bug 219291

Summary: KASAN: slab-use-after-free in acpi_ps_parse_loop+0x1f40/0x26f0
Product: ACPI Reporter: AceLan Kao (acelan)
Component: ACPICA-CoreAssignee: acpi_acpica-core (acpi_acpica-core)
Status: RESOLVED INVALID    
Severity: normal CC: max.lee
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:
Attachments: dmesg + kasan
acpidump
dmesg with acpi.debug_level=0x4400 acpi.debug_layer=0x0038

Description AceLan Kao 2024-09-20 03:57:52 UTC 
Created attachment 306900 [details]
dmesg + kasan

Mainline kernel: 6.11.0-2004cef11ea0+
Enable KASAN in the kernel config and found the KASAN error messages

It looks like the issue happens while parsing the ACPI tables.
 
[    2.147393] BUG: KASAN: slab-use-after-free in acpi_ps_parse_loop+0x1f40/0x26f0
[    2.147403] Read of size 2 at addr ffff888107eac012 by task swapper/0/1

[    2.147410] CPU: 16 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-2004cef11ea0+ #39
[    2.147415] Hardware name: Dell Inc. Dell Tower E0T2250/, BIOS 0.6.19 07/12/2024
[    2.147420] Call Trace:
[    2.147422]  <TASK>
[    2.147426]  dump_stack_lvl+0x72/0xa0
[    2.147432]  print_report+0xd1/0x670
[    2.147437]  ? _raw_read_unlock_irqrestore+0x60/0x60
[    2.147441]  ? ret_from_fork_asm+0x11/0x20
[    2.147445]  ? kasan_complete_mode_report_info+0x66/0x1c0
[    2.147449]  kasan_report+0xd6/0x110
[    2.147453]  ? acpi_ps_parse_loop+0x1f40/0x26f0
[    2.147456]  ? acpi_ps_parse_loop+0x1f40/0x26f0
[    2.147460]  __asan_report_load2_noabort+0x14/0x20
[    2.147464]  acpi_ps_parse_loop+0x1f40/0x26f0
[    2.147468]  ? acpi_ps_get_next_arg+0x14e0/0x14e0
[    2.147472]  ? acpi_ds_delete_walk_state+0x22d/0x370
[    2.147476]  acpi_ps_parse_aml+0x616/0xf50
[    2.147480]  ? acpi_ut_create_internal_object_dbg+0x1a2/0x240
[    2.147484]  acpi_ps_execute_method+0x52e/0xde0
[    2.147488]  ? acpi_ut_acquire_mutex+0x1a7/0x490
[    2.147492]  acpi_ns_evaluate+0x530/0x14a0
[    2.147496]  acpi_evaluate_object+0x37d/0xca0
[    2.147499]  ? acpi_get_data_full+0xf0/0xf0
[    2.147503]  ? kobject_set_name_vargs+0xb3/0x120
[    2.147507]  acpi_get_physical_device_location+0x8b/0x250
[    2.147512]  ? acpi_handle_list_equal+0x120/0x120
[    2.147516]  acpi_device_add+0x389/0xa10
[    2.147520]  ? acpi_tie_acpi_dev+0x90/0x90
[    2.147523]  ? acpi_scan_check_and_detach+0x240/0x240
[    2.147527]  acpi_add_single_object+0x834/0x1ad0
[    2.147531]  ? acpi_ns_get_node+0x89/0xe0
[    2.147535]  ? acpi_get_handle+0xdf/0x220
[    2.147538]  ? acpi_get_data+0xb0/0xb0
[    2.147541]  ? acpi_init_device_object+0x1e40/0x1e40
[    2.147545]  ? acpi_mipi_check_crs_csi2+0xa6/0x310
[    2.147549]  ? up+0x75/0xc0
[    2.147553]  ? acpi_has_method+0x68/0xa0
[    2.147557]  ? acpi_get_physical_device_location+0x250/0x250
[    2.147561]  acpi_bus_check_add+0x206/0x6e0
[    2.147565]  ? arch_acpi_add_auto_dep+0x10/0x10
[    2.147568]  ? __kasan_check_write+0x14/0x20
[    2.147572]  ? _raw_spin_lock_irqsave+0x96/0x100
[    2.147576]  ? acpi_os_signal_semaphore+0xf4/0x150
[    2.147580]  acpi_bus_check_add_1+0x16/0x20
[    2.147583]  acpi_ns_walk_namespace+0x32a/0x560
[    2.147587]  ? acpi_bus_check_add+0x6e0/0x6e0
[    2.147590]  ? acpi_bus_check_add+0x6e0/0x6e0
[    2.147594]  acpi_walk_namespace+0x158/0x170
[    2.147598]  acpi_bus_scan+0x351/0x400
[    2.147602]  ? acpi_bus_check_add_1+0x20/0x20
[    2.147605]  ? __kasan_check_write+0x14/0x20
[    2.147609]  ? mutex_lock+0x8e/0xe0
[    2.147612]  ? __mutex_lock_slowpath+0x20/0x20
[    2.147616]  ? acpi_get_table+0x13b/0x1d0
[    2.147619]  acpi_scan_init+0x1e5/0x640
[    2.147624]  ? acpi_hest_init+0x9d/0x2d0
[    2.147628]  ? acpi_match_madt+0xa0/0xa0
[    2.147631]  ? acpi_viot_early_init+0x71/0xc0
[    2.147634]  ? viot_get_iommu+0x790/0x790
[    2.147637]  ? acpi_ffh_address_space_arch_handler+0x10/0x10
[    2.147640]  acpi_init+0x406/0xa20
[    2.147644]  ? acpi_sleep_proc_init+0x60/0x60
[    2.147645]  ? vprintk+0x7d/0x100
[    2.147645]  ? _printk+0xbc/0x100
[    2.147645]  ? rng_is_initialized+0x20/0x20
[    2.147645]  ? acpi_sleep_proc_init+0x60/0x60
[    2.147645]  ? acpi_sleep_proc_init+0x60/0x60
[    2.147645]  do_one_initcall+0xae/0x400
[    2.147645]  ? trace_event_raw_event_initcall_level+0x210/0x210
[    2.147645]  ? kernel_init_freeable+0x83c/0xe90
[    2.147645]  ? kasan_poison+0x3a/0x60
[    2.147645]  kernel_init_freeable+0x9aa/0xe90
[    2.147645]  ? rest_init+0x170/0x170
[    2.147645]  kernel_init+0x1f/0x210
[    2.147645]  ret_from_fork+0x40/0x90
[    2.147645]  ? rest_init+0x170/0x170
[    2.147645]  ret_from_fork_asm+0x11/0x20
[    2.147645]  </TASK>

[    2.147645] Allocated by task 1:
[    2.147645]  kasan_save_stack+0x39/0x60
[    2.147645]  kasan_save_track+0x14/0x40
[    2.147645]  kasan_save_alloc_info+0x37/0x50
[    2.147645]  __kasan_slab_alloc+0x95/0xa0
[    2.147645]  kmem_cache_alloc_noprof+0x123/0x3d0
[    2.147645]  acpi_ps_alloc_op+0x220/0x2f0
[    2.147645]  acpi_ps_create_op+0x48f/0xcc0
[    2.147645]  acpi_ps_parse_loop+0x79e/0x26f0
[    2.147645]  acpi_ps_parse_aml+0x616/0xf50
[    2.147645]  acpi_ps_execute_method+0x52e/0xde0
[    2.147645]  acpi_ns_evaluate+0x530/0x14a0
[    2.147645]  acpi_evaluate_object+0x37d/0xca0
[    2.147645]  acpi_get_physical_device_location+0x8b/0x250
[    2.147645]  acpi_device_add+0x389/0xa10
[    2.147645]  acpi_add_single_object+0x834/0x1ad0
[    2.147645]  acpi_bus_check_add+0x206/0x6e0
[    2.147645]  acpi_bus_check_add_1+0x16/0x20
[    2.147645]  acpi_ns_walk_namespace+0x32a/0x560
[    2.147645]  acpi_walk_namespace+0x158/0x170
[    2.147645]  acpi_bus_scan+0x351/0x400
[    2.147645]  acpi_scan_init+0x1e5/0x640
[    2.147645]  acpi_init+0x406/0xa20
[    2.147645]  do_one_initcall+0xae/0x400
[    2.147645]  kernel_init_freeable+0x9aa/0xe90
[    2.147645]  kernel_init+0x1f/0x210
[    2.147645]  ret_from_fork+0x40/0x90
[    2.147645]  ret_from_fork_asm+0x11/0x20

[    2.147645] Freed by task 1:
[    2.147645]  kasan_save_stack+0x39/0x60
[    2.147645]  kasan_save_track+0x14/0x40
[    2.147645]  kasan_save_free_info+0x3b/0x60
[    2.147645]  __kasan_slab_free+0x52/0x70
[    2.147645]  kmem_cache_free+0x1a4/0x560
[    2.147645]  kmem_cache_free+0x1a4/0x560
[    2.147645]  acpi_os_release_object+0xe/0x20
[    2.147645]  acpi_ps_free_op+0xa5/0x200
[    2.147645]  acpi_ps_delete_parse_tree+0x190/0x430
[    2.147645]  acpi_ps_complete_this_op+0x5f3/0xb00
[    2.147645]  acpi_ps_complete_final_op+0x3b8/0x540
[    2.147645]  acpi_ps_parse_loop+0xa68/0x26f0
[    2.147645]  acpi_ps_parse_aml+0x616/0xf50
[    2.147645]  acpi_ps_execute_method+0x52e/0xde0
[    2.147645]  acpi_ns_evaluate+0x530/0x14a0
[    2.147645]  acpi_evaluate_object+0x37d/0xca0
[    2.147645]  acpi_get_physical_device_location+0x8b/0x250
[    2.147645]  acpi_device_add+0x389/0xa10
[    2.147645]  acpi_add_single_object+0x834/0x1ad0
[    2.147645]  acpi_bus_check_add+0x206/0x6e0
[    2.147645]  acpi_bus_check_add_1+0x16/0x20
[    2.147645]  acpi_ns_walk_namespace+0x32a/0x560
[    2.147645]  acpi_walk_namespace+0x158/0x170
[    2.147645]  acpi_bus_scan+0x351/0x400
[    2.147645]  acpi_scan_init+0x1e5/0x640
[    2.147645]  acpi_init+0x406/0xa20
[    2.147645]  do_one_initcall+0xae/0x400
[    2.147645]  kernel_init_freeable+0x9aa/0xe90
[    2.147645]  kernel_init+0x1f/0x210
[    2.147645]  ret_from_fork+0x40/0x90
[    2.147645]  ret_from_fork_asm+0x11/0x20

[    2.147645] The buggy address belongs to the object at ffff888107eac008
                which belongs to the cache Acpi-Parse of size 80
[    2.147645] The buggy address is located 10 bytes inside of
                freed 80-byte region [ffff888107eac008, ffff888107eac058)

[    2.147645] The buggy address belongs to the physical page:
[    2.147645] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107eac
[    2.147645] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[    2.147645] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[    2.147645] page_type: 0xfdffffff(slab)
[    2.147645] raw: 0017ffffc0000040 ffff888100053840 ffffea00041f9f10 ffffea00041fe310
[    2.147645] raw: 0000000000000000 00000000002a002a 00000001fdffffff 0000000000000000
[    2.147645] head: 0017ffffc0000040 ffff888100053840 ffffea00041f9f10 ffffea00041fe310
[    2.147645] head: 0000000000000000 00000000002a002a 00000001fdffffff 0000000000000000
[    2.147645] head: 0017ffffc0000001 ffffea00041fab01 ffffffffffffffff 0000000000000000
[    2.147645] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[    2.147645] page dumped because: kasan: bad access detected

[    2.147645] Memory state around the buggy address:
[    2.147645]  ffff888107eabf00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[    2.147645]  ffff888107eabf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    2.147645] >ffff888107eac000: fc fa fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[    2.147645]                          ^
[    2.147645]  ffff888107eac080: fc fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
[    2.147645]  ffff888107eac100: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
Comment 1 AceLan Kao 2024-09-20 03:58:14 UTC 
Created attachment 306901 [details]
acpidump
Comment 2 AceLan Kao 2024-09-23 09:01:23 UTC 
Created attachment 306912 [details]
dmesg with acpi.debug_level=0x4400 acpi.debug_layer=0x0038

It's parsing _SB.UBTC.RUCC before encountering KASAN error.
I can't figure out where went wrong.

[    3.934757] localhost kernel: acpi_ns_get_normalized_pathname: Path "\_SB.UBTC.TPLD"
[    3.934760] localhost kernel:  nssearch-0074 ns_search_one_scope   : Searching \_SB.UBTC.TPLD (ffff888108bf26e8) For [HGT_] (Untyped)
[    3.934766] localhost kernel:  nssearch-0107 ns_search_one_scope   : Name [HGT_] (BufferField) ffff888107536e68 found in scope [TPLD] ffff888>
[    3.934773] localhost kernel:  nsaccess-0399 ns_lookup             : Searching relative to prefix scope [TPLD] (ffff888108bf26e8)
[    3.934778] localhost kernel:  nsaccess-0522 ns_lookup             : Simple Pathname (1 segment, Flags=3)
[    3.934782] localhost kernel:    nsdump-0064 ns_print_pathname     : [HGT_]
[    3.934790] localhost kernel: acpi_ns_get_normalized_pathname: Path "\_SB.UBTC.TPLD"
[    3.934793] localhost kernel:  nssearch-0074 ns_search_one_scope   : Searching \_SB.UBTC.TPLD (ffff888108bf26e8) For [HGT_] (Untyped)
[    3.934799] localhost kernel:  nssearch-0107 ns_search_one_scope   : Name [HGT_] (BufferField) ffff888107536e68 found in scope [TPLD] ffff888>
[    3.934818] localhost kernel:  nsaccess-0399 ns_lookup             : Searching relative to prefix scope [TPLD] (ffff888108bf26e8)
[    3.934823] localhost kernel:  nsaccess-0522 ns_lookup             : Simple Pathname (1 segment, Flags=3)
[    3.934827] localhost kernel:    nsdump-0064 ns_print_pathname     : [PCKG]
[    3.934835] localhost kernel: acpi_ns_get_normalized_pathname: Path "\_SB.UBTC.TPLD"
[    3.934838] localhost kernel:  nssearch-0074 ns_search_one_scope   : Searching \_SB.UBTC.TPLD (ffff888108bf26e8) For [PCKG] (Untyped)
[    3.934844] localhost kernel:  nssearch-0107 ns_search_one_scope   : Name [PCKG] (Package) ffff888107536008 found in scope [TPLD] ffff888108b>
[    3.934851] localhost kernel:  nsaccess-0399 ns_lookup             : Searching relative to prefix scope [TPLD] (ffff888108bf26e8)
[    3.934855] localhost kernel:  nsaccess-0522 ns_lookup             : Simple Pathname (1 segment, Flags=3)
[    3.934860] localhost kernel:    nsdump-0064 ns_print_pathname     : [PCKG]
[    3.934868] localhost kernel: acpi_ns_get_normalized_pathname: Path "\_SB.UBTC.TPLD"
[    3.934870] localhost kernel:  nssearch-0074 ns_search_one_scope   : Searching \_SB.UBTC.TPLD (ffff888108bf26e8) For [PCKG] (Untyped)
[    3.934876] localhost kernel:  nssearch-0107 ns_search_one_scope   : Name [PCKG] (Package) ffff888107536008 found in scope [TPLD] ffff888108b>
[    3.934891] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff8881087d5098 [__A0] Object ffff8881083ddb58
[    3.934897] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff8881087d50c8 [__A1] Object ffff8881084f6c40
[    3.934903] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff888107536008 [PCKG] Object ffff8881083dcdb0
[    3.934908] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff8881075366e8 [REV_] Object ffff8881083dc178
[    3.934915] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff888107536828 [VISI] Object ffff8881083ddaa0
[    3.934921] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff888107536dc8 [GPOS] Object ffff8881083dc0c0
[    3.934928] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff888107536a08 [SHAP] Object ffff8881083dd200
[    3.934935] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff888107536328 [WID_] Object ffff888108307148
[    3.934942] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff888107536e68 [HGT_] Object ffff888108307ef0
[    3.934956] localhost kernel: acpi_ns_get_normalized_pathname: Path "\_SB.UBTC.TPLD"
[    3.934973] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff8881087d2098 [__A0] Object ffff8881075c4960
[    3.934979] localhost kernel:  nsobject-0224 ns_detach_object      : Node ffff8881087d20c8 [__A1] Object ffff8881075c5b58
[    3.934986] localhost kernel: acpi_ns_get_normalized_pathname: Path "\_SB.UBTC.RUCC"
[    3.934994] localhost kernel: ==================================================================
[    3.934998] localhost kernel: BUG: KASAN: slab-use-after-free in acpi_ps_parse_loop+0x1f40/0x26f0
[    3.935009] localhost kernel: Read of size 2 at addr ffff88810757db12 by task swapper/0/1
Comment 3 AceLan Kao 2024-10-14 08:04:42 UTC 
It's a BIOS issue and has been fixed by BIOS.