Re: not ok 1 - single_pixel_source_buffer: The buggy address belongs to the physical page
On Tue, Oct 18, 2022 at 3:54 PM Javier Martinez Canillas wrote: > > [adding a few folks to Cc list that might help with this issue] > > Hello Naresh, > > Thanks a lot for your report. > > On 10/18/22 08:40, Naresh Kamboju wrote: > > Following kunit tests started failing on Linux mainline. > > - drm_format_helper_test — FAIL > > - drm_test_fb_xrgb_to_xrgb2101010 — FAIL > > - single_pixel_source_buffer — FAIL > > > > Good: v6.0-3015-g2bca25eaeba6 > > Bad: v6.0-5118-g833477fce7a1 > > > > Could you please let me know how you are running this? I tried to reproduce it > on v6.1-rc1 with the following command but all tests passed: > > ./tools/testing/kunit/kunit.py run > --kunitconfig=drivers/gpu/drm/tests/.kunitconfig --arch=x86_64 > [09:41:53] Configuring KUnit Kernel ... > [09:41:53] Building KUnit Kernel ... > Populating config with: > $ make ARCH=x86_64 O=.kunit olddefconfig > Building with: > $ make ARCH=x86_64 O=.kunit --jobs=8 > [09:45:51] Starting KUnit Kernel (1/1)... > [09:45:51] > Running tests with: > $ qemu-system-x86_64 -nodefaults -m 1024 -kernel .kunit/arch/x86/boot/bzImage > -append 'kunit.enable=1 console=ttyS0 kunit_shutdown=reboot' -no-reboot > -nographic -serial stdio > ... > [09:47:40] Testing complete. Ran 195 tests: passed: 195 > [09:47:40] Elapsed time: 347.817s total, 0.003s configuring, 238.009s > building, 109.771s running I can reproduce this with: ./tools/testing/kunit/kunit.py run --kunitconfig drivers/gpu/drm/tests --kconfig_add CONFIG_KASAN=y --kconfig_add CONFIG_KASAN_VMALLOC=y --kconfig_add CONFIG_KASAN_KUNIT_TEST=y drm_format_helper_test.*xrgb2101010 (The issue shows up only with KASAN enabled, and it looks like there's a bug whereby KASAN failures don't trigger test failures unless CONFIG_KASAN_KUNIT_TEST=y) It looks like the issue is probably with the conversion back to le32 here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/tests/drm_format_helper_test.c#n441 That second call to le32buf_to_cpu() should probably take dst_size (or rather, dst_size / sizeof(u32)) rather than using TEST_BUF_SIZE, which is the maximum possible size of the buffer, not the actual size. That fixes it here for me, though a proper fix would avoid the division. Cheers, -- David smime.p7s Description: S/MIME Cryptographic Signature
Re: not ok 1 - single_pixel_source_buffer: The buggy address belongs to the physical page
[adding a few folks to Cc list that might help with this issue] Hello Naresh, Thanks a lot for your report. On 10/18/22 08:40, Naresh Kamboju wrote: > Following kunit tests started failing on Linux mainline. > - drm_format_helper_test — FAIL > - drm_test_fb_xrgb_to_xrgb2101010 — FAIL > - single_pixel_source_buffer — FAIL > > Good: v6.0-3015-g2bca25eaeba6 > Bad: v6.0-5118-g833477fce7a1 > Could you please let me know how you are running this? I tried to reproduce it on v6.1-rc1 with the following command but all tests passed: ./tools/testing/kunit/kunit.py run --kunitconfig=drivers/gpu/drm/tests/.kunitconfig --arch=x86_64 [09:41:53] Configuring KUnit Kernel ... [09:41:53] Building KUnit Kernel ... Populating config with: $ make ARCH=x86_64 O=.kunit olddefconfig Building with: $ make ARCH=x86_64 O=.kunit --jobs=8 [09:45:51] Starting KUnit Kernel (1/1)... [09:45:51] Running tests with: $ qemu-system-x86_64 -nodefaults -m 1024 -kernel .kunit/arch/x86/boot/bzImage -append 'kunit.enable=1 console=ttyS0 kunit_shutdown=reboot' -no-reboot -nographic -serial stdio ... [09:47:40] Testing complete. Ran 195 tests: passed: 195 [09:47:40] Elapsed time: 347.817s total, 0.003s configuring, 238.009s building, 109.771s running > Reported-by: Linux Kernel Functional Testing > > [ 50.320990] # Subtest: drm_test_fb_xrgb_to_xrgb2101010 > [ 50.322059] > == > [ 50.326436] BUG: KASAN: slab-out-of-bounds in > drm_test_fb_xrgb_to_xrgb2101010+0x2dd/0x520 > [ 50.329249] Read of size 4 at addr 888104d7a5cc by task > kunit_try_catch/619 > [ 50.331596] > [ 50.332135] CPU: 1 PID: 619 Comm: kunit_try_catch Tainted: GB > N 6.0.0 #1 > [ 50.333876] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.12.0-1 04/01/2014 > [ 50.335138] Call Trace: > [ 50.335531] > [ 50.335879] dump_stack_lvl+0x49/0x62 > [ 50.336462] print_report.cold+0x5e/0x5d9 > [ 50.337069] ? _raw_spin_unlock_irqrestore+0x33/0x60 > [ 50.337820] ? update_kunit_status+0xee/0x160 > [ 50.338494] ? drm_test_fb_xrgb_to_xrgb2101010+0x2dd/0x520 > [ 50.339354] kasan_report+0xaa/0x130 > [ 50.339905] ? drm_fb_xrgb_to_xrgb2101010+0xa0/0xd0 > [ 50.340680] ? drm_test_fb_xrgb_to_xrgb2101010+0x2dd/0x520 > [ 50.341576] __asan_load4+0x80/0xa0 > [ 50.342112] drm_test_fb_xrgb_to_xrgb2101010+0x2dd/0x520 > [ 50.342958] ? drm_test_fb_xrgb_to_gray8+0x470/0x470 > [ 50.343778] ? update_load_avg+0x80/0xb80 > [ 50.344407] ? update_cfs_group+0x22/0x160 > [ 50.345036] ? load_balance+0x14d0/0x14d0 > [ 50.345652] ? dequeue_entity+0x1f2/0x6a0 > [ 50.346263] ? rcu_qs+0x1c/0x120 > [ 50.346773] ? finish_task_switch.isra.0+0xe0/0x410 > [ 50.347532] ? __kasan_check_write+0x14/0x20 > [ 50.348192] ? _raw_spin_lock_irqsave+0x9e/0x100 > [ 50.348891] ? _raw_spin_unlock_irqrestore+0x28/0x60 > [ 50.349625] ? trace_preempt_on+0x2a/0xf0 > [ 50.350242] ? __kthread_parkme+0x4f/0xd0 > [ 50.350857] kunit_try_run_case+0x91/0xd0 > [ 50.351479] ? kunit_catch_run_case+0x80/0x80 > [ 50.352151] ? kunit_try_catch_throw+0x40/0x40 > [ 50.352897] kunit_generic_run_threadfn_adapter+0x2f/0x50 > [ 50.353890] kthread+0x179/0x1b0 > [ 50.354410] ? kthread_complete_and_exit+0x30/0x30 > [ 50.355126] ret_from_fork+0x22/0x30 > [ 50.355708] > [ 50.356047] > [ 50.356284] Allocated by task 619: > [ 50.356817] kasan_save_stack+0x26/0x50 > [ 50.357410] __kasan_kmalloc+0xae/0xe0 > [ 50.357980] __kmalloc+0x1cf/0x390 > [ 50.358501] kunit_kmalloc_array_init+0x4b/0x80 > [ 50.359189] __kunit_add_resource+0x67/0x100 > [ 50.359859] kunit_kmalloc_array+0xf8/0x170 > [ 50.360490] drm_test_fb_xrgb_to_xrgb2101010+0x19f/0x520 > [ 50.361341] kunit_try_run_case+0x91/0xd0 > [ 50.361948] kunit_generic_run_threadfn_adapter+0x2f/0x50 > [ 50.362747] kthread+0x179/0x1b0 > [ 50.363230] ret_from_fork+0x22/0x30 > [ 50.363779] > [ 50.364015] The buggy address belongs to the object at 888104d7a5c8 > [
not ok 1 - single_pixel_source_buffer: The buggy address belongs to the physical page
Following kunit tests started failing on Linux mainline. - drm_format_helper_test — FAIL - drm_test_fb_xrgb_to_xrgb2101010 — FAIL - single_pixel_source_buffer — FAIL Good: v6.0-3015-g2bca25eaeba6 Bad: v6.0-5118-g833477fce7a1 Reported-by: Linux Kernel Functional Testing [ 50.320990] # Subtest: drm_test_fb_xrgb_to_xrgb2101010 [ 50.322059] == [ 50.326436] BUG: KASAN: slab-out-of-bounds in drm_test_fb_xrgb_to_xrgb2101010+0x2dd/0x520 [ 50.329249] Read of size 4 at addr 888104d7a5cc by task kunit_try_catch/619 [ 50.331596] [ 50.332135] CPU: 1 PID: 619 Comm: kunit_try_catch Tainted: GB N 6.0.0 #1 [ 50.333876] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 50.335138] Call Trace: [ 50.335531] [ 50.335879] dump_stack_lvl+0x49/0x62 [ 50.336462] print_report.cold+0x5e/0x5d9 [ 50.337069] ? _raw_spin_unlock_irqrestore+0x33/0x60 [ 50.337820] ? update_kunit_status+0xee/0x160 [ 50.338494] ? drm_test_fb_xrgb_to_xrgb2101010+0x2dd/0x520 [ 50.339354] kasan_report+0xaa/0x130 [ 50.339905] ? drm_fb_xrgb_to_xrgb2101010+0xa0/0xd0 [ 50.340680] ? drm_test_fb_xrgb_to_xrgb2101010+0x2dd/0x520 [ 50.341576] __asan_load4+0x80/0xa0 [ 50.342112] drm_test_fb_xrgb_to_xrgb2101010+0x2dd/0x520 [ 50.342958] ? drm_test_fb_xrgb_to_gray8+0x470/0x470 [ 50.343778] ? update_load_avg+0x80/0xb80 [ 50.344407] ? update_cfs_group+0x22/0x160 [ 50.345036] ? load_balance+0x14d0/0x14d0 [ 50.345652] ? dequeue_entity+0x1f2/0x6a0 [ 50.346263] ? rcu_qs+0x1c/0x120 [ 50.346773] ? finish_task_switch.isra.0+0xe0/0x410 [ 50.347532] ? __kasan_check_write+0x14/0x20 [ 50.348192] ? _raw_spin_lock_irqsave+0x9e/0x100 [ 50.348891] ? _raw_spin_unlock_irqrestore+0x28/0x60 [ 50.349625] ? trace_preempt_on+0x2a/0xf0 [ 50.350242] ? __kthread_parkme+0x4f/0xd0 [ 50.350857] kunit_try_run_case+0x91/0xd0 [ 50.351479] ? kunit_catch_run_case+0x80/0x80 [ 50.352151] ? kunit_try_catch_throw+0x40/0x40 [ 50.352897] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 50.353890] kthread+0x179/0x1b0 [ 50.354410] ? kthread_complete_and_exit+0x30/0x30 [ 50.355126] ret_from_fork+0x22/0x30 [ 50.355708] [ 50.356047] [ 50.356284] Allocated by task 619: [ 50.356817] kasan_save_stack+0x26/0x50 [ 50.357410] __kasan_kmalloc+0xae/0xe0 [ 50.357980] __kmalloc+0x1cf/0x390 [ 50.358501] kunit_kmalloc_array_init+0x4b/0x80 [ 50.359189] __kunit_add_resource+0x67/0x100 [ 50.359859] kunit_kmalloc_array+0xf8/0x170 [ 50.360490] drm_test_fb_xrgb_to_xrgb2101010+0x19f/0x520 [ 50.361341] kunit_try_run_case+0x91/0xd0 [ 50.361948] kunit_generic_run_threadfn_adapter+0x2f/0x50 [ 50.362747] kthread+0x179/0x1b0 [ 50.363230] ret_from_fork+0x22/0x30 [ 50.363779] [ 50.364015] The buggy address belongs to the object at 888104d7a5c8 [ 50.364015] which belongs to the cache kmalloc-8 of size 8 [ 50.365824] The buggy address is located 4 bytes inside of [ 50.365824] 8-byte region [888104d7a5c8, 888104d7a5d0) [ 50.367485] [ 50.367736] The buggy address belongs to the physical page: [ 50.368579] page:3c09c153 refcount:1 mapcount:0 mapping: index:0x0 pfn:0x104d7a [ 50.369991] flags: 0x2000200(slab|node=0|zone=2) [ 50.370804] raw: 02000200 dead0122 888100042280 [ 50.371933] raw: 80660066 0001 [ 50.373021] page dumped because: kasan: bad access detected [ 50.373958] [ 50.374202] Memory state around the buggy address: [ 50.374935] 888104d7a480: fc fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc [ 50.376019] 888104d7a500: fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb [ 50.377098] >888104d7a580: fc fc fc fc fa fc fc fc fc 04 fc fc fc fc fa fc [ 50.378174] ^ [ 50.379025] 888104d7a600: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc [ 50.380123] 888104d7a680: fc fc 00 fc fc fc fc fa fc fc fc fc fa fc fc fc [ 50.381191] == [ 50.382461] not ok 1 - single_pixel_source_buffer [ 50.382909] ok 2 - single_pixel_clip_rectangle [ 50.384319] ok 3 - well_known_colors [ 50.385393] ok 4 - destination_pitch [ 50.386029] # drm_test_fb_xrgb_to_xrgb2101010: pass:3 fail:1 skip:0 total:4 [ 50.386657] not ok 5 - drm_test_fb_xrgb_to_xrgb2101010 [ 50.387762] # drm_format_helper_test: pass:4 fail:1 skip:0 total:5 [ 50.388598] # Totals: pass:19 fail:1 skip:0 total:20 [ 50.389467] not ok 33 - drm_format_helper_test Test log link, https://lkft.validation.linaro.org/scheduler/job/5633513#L7056