New issue
Advanced search Search tips

Issue 859668 link

Starred by 1 user
Status: Verified
Owner:
teravest@chromium.org
Closed: Jul 9
Cc:
apronin@chromium.org
groeck@chromium.org
diand...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

grunt: During shutdown - KASAN: null-ptr-deref in tpm_transmit+0x313/0x736

Project Member Reported by djkurtz@chromium.org, Jul 2 
Chrome OS Version: R69-10828.0.0 <From about:version: Platform x.x.x.x>
cros/chromeos-4.14 @ 6aecc08af38c9 Revert "FROMLIST: drm/amdgpu: replace mutex with spin_lock (V2)"
Chrome OS Platform: grunt

Steps To Reproduce:
(1) reboot

Expected Result:

No KASAN splat.

Actual Result:


[ 1717.804864] gsmi: Log Shutdown Reason 0x00
[ 1718.794444] ==================================================================
[ 1718.801688] BUG: KASAN: null-ptr-deref in tpm_transmit+0x313/0x736
[ 1718.807875] Read of size 8 at addr 0000000000000048 by task reboot/4262
[ 1718.814483] 
[ 1718.815981] CPU: 1 PID: 4262 Comm: reboot Not tainted 4.14.52 #464
[ 1718.822155] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10795.0.0 06/15/2018
[ 1718.829976] Call Trace:
[ 1718.832435]  dump_stack+0x4d/0x63
[ 1718.835757]  kasan_report+0x25f/0x2a9
[ 1718.839422]  tpm_transmit+0x313/0x736
[ 1718.843089]  tpm_transmit_cmd+0x27/0x7f
[ 1718.846928]  tpm2_shutdown+0x69/0xa3
[ 1718.850508]  ? __radix_tree_replace+0xdc/0x125
[ 1718.854955]  ? ___might_sleep+0x80/0x1b6
[ 1718.858878]  ? down_write+0x4f/0x58
[ 1718.862369]  tpm_chip_unregister+0xda/0xff
[ 1718.866468]  cr50_i2c_shutdown+0x2a/0x4d
[ 1718.870395]  device_shutdown+0x254/0x293
[ 1718.874321]  kernel_restart+0x12/0x56
[ 1718.877983]  SYSC_reboot+0x16e/0x1c0
[ 1718.881561]  ? do_writepages+0x5c/0xa8
[ 1718.885311]  ? do_writepages+0x5c/0xa8
[ 1718.889064]  ? __filemap_fdatawrite_range+0x66/0x99
[ 1718.893940]  ? do_raw_spin_unlock+0xc7/0xd1
[ 1718.898125]  ? _atomic_dec_and_lock+0x12/0x4c
[ 1718.902484]  ? iput+0xc0/0x298
[ 1718.905540]  ? poweroff_work_func+0x41/0x41
[ 1718.909725]  do_syscall_64+0xe9/0x10d
[ 1718.913391]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 1718.918442] RIP: 0033:0x7cdacb35f316
[ 1718.922017] RSP: 002b:00007ffd9ee1d2a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a9
[ 1718.929583] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007cdacb35f316
[ 1718.936710] RDX: 0000000001234567 RSI: 0000000028121969 RDI: fffffffffee1dead
[ 1718.943838] RBP: 00007ffd9ee1d300 R08: 00005d1f82426310 R09: 0000000000000000
[ 1718.950966] R10: 0000000000000040 R11: 0000000000000202 R12: 0000000000000000
[ 1718.958094] R13: 00007ffd9ee1d3f0 R14: 0000000000000002 R15: 00007ffd9ee1d3f8
[ 1718.965223] ==================================================================
[ 1718.972436] Disabling lock debugging due to kernel taint
[ 1718.977814] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
[ 1718.985651] IP: tpm_transmit+0x313/0x736
[ 1718.989575] PGD 0 P4D 0 
[ 1718.992117] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 1718.994116] smsc95xx 2-3.2.1:1.0 eth0: Failed to read reg index 0x00000114: -22
[ 1718.994122] smsc95xx 2-3.2.1:1.0 eth0: Error reading MII_ACCESS
[ 1718.994127] smsc95xx 2-3.2.1:1.0 eth0: MII is busy in smsc95xx_mdio_read
[ 1718.994132] smsc95xx 2-3.2.1:1.0 eth0: Failed to read MII_BMSR
[ 1719.022833] gsmi: Log Shutdown Reason 0x03
[ 1719.026929] Modules linked in: nls_iso8859_1 nls_cp437 vfat fat uinput btusb btrtl btbcm btintel bluetooth ecdh_generic uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core i2c_piix4 designware_i2s acpi_als snd_soc_max98357a snd_soc_adau7002 snd_soc_acp_da7219mx98357_mach snd_soc_da7219 acp_audio_dma xt_nat bridge stp llc lzo lzo_compress zram ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat xt_mark fuse snd_seq_dummy snd_seq snd_seq_device iio_trig_sysfs ip6table_filter cros_ec_sensors_ring cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer kfifo_buf industrialio smsc95xx usbnet mii ath10k_pci ath10k_core mac80211 ath cfg80211 joydev
[ 1719.088068] CPU: 1 PID: 4262 Comm: reboot Tainted: G    B           4.14.52 #464
[ 1719.095455] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.10795.0.0 06/15/2018
[ 1719.103279] task: ffff880107034140 task.stack: ffff880101ed8000
[ 1719.109200] RIP: 0010:tpm_transmit+0x313/0x736
[ 1719.113643] RSP: 0018:ffff880101edfb98 EFLAGS: 00010246
[ 1719.118869] RAX: 0000000000000296 RBX: ffff880107331168 RCX: ffffffff93b19351
[ 1719.125998] RDX: 677604a586627b00 RSI: 0000000000000003 RDI: ffffffff95273350
[ 1719.133127] RBP: ffff880101edfc30 R08: dffffc0000000000 R09: 00000000ffffffff
[ 1719.140256] R10: fffffbfff2a9b24f R11: ffffc900005ce19b R12: ffff880101edfc84
[ 1719.147385] R13: 0000000000000000 R14: 000000000000000c R15: ffff8801073318d8
[ 1719.154516] FS:  00007cdacb840740(0000) GS:ffff88010af00000(0000) knlGS:0000000000000000
[ 1719.162600] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1719.168343] CR2: 0000000000000048 CR3: 0000000104790000 CR4: 00000000001406e0
[ 1719.175471] Call Trace:
[ 1719.177930]  tpm_transmit_cmd+0x27/0x7f
[ 1719.181772]  tpm2_shutdown+0x69/0xa3
[ 1719.185355]  ? __radix_tree_replace+0xdc/0x125
[ 1719.189804]  ? ___might_sleep+0x80/0x1b6
[ 1719.193731]  ? down_write+0x4f/0x58
[ 1719.197223]  tpm_chip_unregister+0xda/0xff
[ 1719.201324]  cr50_i2c_shutdown+0x2a/0x4d
[ 1719.205253]  device_shutdown+0x254/0x293
[ 1719.209181]  kernel_restart+0x12/0x56
[ 1719.212846]  SYSC_reboot+0x16e/0x1c0
[ 1719.216426]  ? do_writepages+0x5c/0xa8
[ 1719.220176]  ? do_writepages+0x5c/0xa8
[ 1719.223928]  ? __filemap_fdatawrite_range+0x66/0x99
[ 1719.228807]  ? do_raw_spin_unlock+0xc7/0xd1
[ 1719.232995]  ? _atomic_dec_and_lock+0x12/0x4c
[ 1719.237354]  ? iput+0xc0/0x298
[ 1719.240414]  ? poweroff_work_func+0x41/0x41
[ 1719.244598]  do_syscall_64+0xe9/0x10d
[ 1719.248268]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 1719.253319] RIP: 0033:0x7cdacb35f316
[ 1719.256893] RSP: 002b:00007ffd9ee1d2a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a9
[ 1719.264460] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007cdacb35f316
[ 1719.271591] RDX: 0000000001234567 RSI: 0000000028121969 RDI: fffffffffee1dead
[ 1719.278721] RBP: 00007ffd9ee1d300 R08: 00005d1f82426310 R09: 0000000000000000
[ 1719.285851] R10: 0000000000000040 R11: 0000000000000202 R12: 0000000000000000
[ 1719.292980] R13: 00007ffd9ee1d3f0 R14: 0000000000000002 R15: 00007ffd9ee1d3f8
[ 1719.300109] Code: 48 8d bb 88 08 00 00 e8 98 eb 6f 00 4c 8d bb 70 07 00 00 4c 89 ff e8 69 7e cb ff 4c 8b ab 70 07 00 00 49 8d 7d 48 e8 59 7e cb ff <49> 8b 45 48 48 85 c0 74 0d be 01 00 00 00 48 89 df e8 29 b6 a6 
[ 1719.319043] RIP: tpm_transmit+0x313/0x736 RSP: ffff880101edfb98
[ 1719.324959] CR2: 0000000000000048
[ 1719.328400] ---[ end trace c6d1ed4a7838b5c8 ]---
[ 1719.378518] Kernel panic - not syncing: Fatal exception
[ 1719.383758] Kernel Offset: 0x12a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1719.394627] gsmi: Log Shutdown Reason 0x02
[ 1719.425495] ACPI MEMORY or I/O RESET_REG.


How frequently does this problem reproduce? (Always, sometimes, hard to
reproduce?)

At least once.

What is the impact to the user, and is there a workaround? If so, what is
it?

Unknown.

Comment 2 by teravest@chromium.org, Jul 9

Status: Verified (was: Assigned)

Sign in to add a comment