Skip to content

"modprobe -v drm_format_helper_test" crashes clang-17 built kernel w. "CFI failure at __kunit_action_free+0x18/0x20 [kunit] (target: kfree+0x0/0xb0; expected type: 0x81aceae9)" when CONFIG_CFI_CLANG=y is enabled (kernel 6.7.5, amd64) #1998

@ernsteiswuerfel

Description

@ernsteiswuerfel

I wanted to run some kernel drm/ttm unit tests to check for quirks in drm/ttm subsystem. What I additionally found out that some tests crash when CONFIG_CFI_CLANG=y is enabled, e.g. modprobe -v drm_format_helper_test. Same test passes find and without any side effects when CFI_CLANG is disabled or the kernel is built with GCC 13 insated.

I get following dmesg when running the test via modprobe:

[...]
KTAP version 1
1..1
    KTAP version 1
    # Subtest: checksum
    # module: checksum_kunit
    1..3
    ok 1 test_csum_fixed_random_inputs
    ok 2 test_csum_all_carry_inputs
    ok 3 test_csum_no_carry_inputs
# checksum: pass:3 fail:0 skip:0 total:3
# Totals: pass:3 fail:0 skip:0 total:3
ok 1 checksum
KTAP version 1
1..1
    KTAP version 1
    # Subtest: cmdline
    # module: cmdline_kunit
    1..4
    ok 1 cmdline_test_noint
    ok 2 cmdline_test_lead_int
    ok 3 cmdline_test_tail_int
    ok 4 cmdline_test_range
# cmdline: pass:4 fail:0 skip:0 total:4
# Totals: pass:4 fail:0 skip:0 total:4
ok 1 cmdline
KTAP version 1
1..1
    KTAP version 1
    # Subtest: cpumask
    # module: cpumask_kunit
    1..6
    ok 1 test_cpumask_weight
    ok 2 test_cpumask_first
    ok 3 test_cpumask_last
    ok 4 test_cpumask_next
    ok 5 test_cpumask_iterators
    ok 6 test_cpumask_iterators_builtin
# cpumask: pass:6 fail:0 skip:0 total:6
# Totals: pass:6 fail:0 skip:0 total:6
ok 1 cpumask
KTAP version 1
1..1
    KTAP version 1
    # Subtest: drm_format_helper_test
    # module: drm_format_helper_test
    1..17
        KTAP version 1
        # Subtest: drm_test_fb_xrgb8888_to_gray8
CFI failure at __kunit_action_free+0x18/0x20 [kunit] (target: kfree+0x0/0xb0; expected type: 0x81aceae9)
invalid opcode: 0000 [#1] SMP NOPTI
CPU: 29 PID: 2166 Comm: kunit_try_catch Tainted: G                 N 6.7.5-gentoo-Zen3 #4
Hardware name: To Be Filled By O.E.M. B550M Pro4/B550M Pro4, BIOS P3.40 01/18/2024
RIP: 0010:__kunit_action_free+0x18/0x20 [kunit]
Code: 00 00 b8 64 d6 71 24 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 4c 8b 5f 38 48 8b 7f 40 41 ba 17 15 53 7e 45 03 53 f1 74 02 <0f> 0b 2e e9 00 a1 0b e6 b8 30 72 86 37 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffb83682657e90 EFLAGS: 00010217
RAX: 0000000000000001 RBX: ffff9a3bc0c91b08 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9a3c2c33c000
RBP: ffffb8368259f878 R08: 0000000000000000 R09: 0000000000000000
R10: 000000003507d306 R11: ffffffffa62222e0 R12: 0000000000000296
R13: ffffb8368259fac0 R14: ffffb8368259faa0 R15: ffff9a3bc0c91b28
FS:  0000000000000000(0000) GS:ffff9a42df140000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f953c430000 CR3: 000000010a33e000 CR4: 0000000000b50ef0
Call Trace:
 <TASK>
 ? __die_body+0x16/0x75
 ? die+0x38/0x60
 ? do_trap+0xa1/0x120
 ? __kunit_action_free+0x18/0x20 [kunit]
 ? do_error_trap+0x63/0xa0
 ? __kunit_action_free+0x18/0x20 [kunit]
 ? handle_invalid_op+0x25/0x45
 ? __kunit_action_free+0x18/0x20 [kunit]
 ? exc_invalid_op+0x3a/0x5b
 ? asm_exc_invalid_op+0x1a/0x20
 ? __cfi_kfree+0x10/0x10
 ? __kunit_action_free+0x18/0x20 [kunit]
 kunit_remove_resource+0x8c/0xf0 [kunit]
 kunit_cleanup+0x48/0x90 [kunit]
 kunit_generic_run_threadfn_adapter+0x24/0x30 [kunit]
 ? __cfi_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit]
 kthread+0xe7/0x10b
 ? __cfi_kthread+0x10/0x10
 ret_from_fork+0x4c/0x60
 ? __cfi_kthread+0x10/0x10
 ret_from_fork_asm+0x11/0x30
 </TASK>
Modules linked in: drm_format_helper_test drm_kunit_helpers cpumask_kunit cmdline_kunit checksum_kunit kunit bitfield_kunit rfkill dm_crypt nhpoly1305_avx2 nhpoly1305 chacha_generic chacha_x86_64 libchacha adiantum libpoly1305 algif_skcipher input_leds joydev hid_generic usbhid hid amdgpu snd_hda_codec_hdmi mfd_core snd_hda_intel gpu_sched snd_intel_dspcfg amdxcp drm_suballoc_helper snd_hda_codec i2c_algo_bit snd_hwdep amd64_edac edac_mce_amd snd_hda_core video snd_pcm drm_ttm_helper wmi_bmof evdev ttm snd_timer drm_exec snd drm_display_helper kvm_amd soundcore rapl drm_buddy k10temp wmi gpio_amdpt gpio_generic button lz4 lz4_compress lz4_decompress zram sg nct6775 hwmon_vid nct6775_core hwmon loop configfs sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 sha1_generic aesni_intel libaes crypto_simd ccp cryptd xhci_pci xhci_hcd usbcore usb_common sunrpc dm_mod pkcs8_key_parser efivarfs
---[ end trace 0000000000000000 ]---
RIP: 0010:__kunit_action_free+0x18/0x20 [kunit]
Code: 00 00 b8 64 d6 71 24 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 4c 8b 5f 38 48 8b 7f 40 41 ba 17 15 53 7e 45 03 53 f1 74 02 <0f> 0b 2e e9 00 a1 0b e6 b8 30 72 86 37 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffb83682657e90 EFLAGS: 00010217
RAX: 0000000000000001 RBX: ffff9a3bc0c91b08 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9a3c2c33c000
RBP: ffffb8368259f878 R08: 0000000000000000 R09: 0000000000000000
R10: 000000003507d306 R11: ffffffffa62222e0 R12: 0000000000000296
R13: ffffb8368259fac0 R14: ffffb8368259faa0 R15: ffff9a3bc0c91b28
FS:  0000000000000000(0000) GS:ffff9a42df140000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f953c430000 CR3: 000000010a33e000 CR4: 0000000000b50ef0
EXT4-fs (zram1): unmounting filesystem a4bb85cf-4a45-4073-a739-519e1062e20b.
systemd-shutdown[1]: Syncing filesystems and block devices.
systemd-shutdown[1]: Sending SIGTERM to remaining processes...
systemd-journald[858]: Received SIGTERM from PID 1 (systemd-shutdow).
systemd-shutdown[1]: Waiting for process: 2164 (modprobe)
    # drm_test_fb_xrgb8888_to_gray8: try timed out
general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#2] SMP NOPTI
CPU: 3 PID: 2164 Comm: modprobe Tainted: G      D          N 6.7.5-gentoo-Zen3 #4
Hardware name: To Be Filled By O.E.M. B550M Pro4/B550M Pro4, BIOS P3.40 01/18/2024
RIP: 0010:kthread_stop+0x39/0xc0
Code: 01 00 00 00 b8 01 00 00 00 49 89 fe f0 0f c1 47 28 85 c0 74 6d 8d 48 01 09 c1 78 6b 41 f6 46 2e 20 74 6e 4d 8b be 30 05 00 00 <f0> 41 80 0f 02 4c 89 f7 e8 9a fe ff ff f0 41 80 4e 02 02 4c 89 f7
RSP: 0018:ffffb8368259f920 EFLAGS: 00010202
RAX: 000000006b6b6b6b RBX: ffff9a3c2f920068 RCX: 000000006b6b6b6f
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9a3c2f920040
RBP: ffffb8368259fc90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffb8368259f9a0
R13: 0000000000000000 R14: ffff9a3c2f920040 R15: 6b6b6b6b6b6b6b6b
FS:  00007fb447c4dc40(0000) GS:ffff9a42deac0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd2267e488 CR3: 0000000174ec6000 CR4: 0000000000b50ef0
Call Trace:
 <TASK>
 ? __die_body+0x16/0x75
 ? die_addr+0x38/0x60
 ? exc_general_protection+0x1c4/0x2d0
 ? console_unlock+0xa1/0xd0
 ? asm_exc_general_protection+0x26/0x30
 ? kthread_stop+0x39/0xc0
 kunit_try_catch_run+0x14f/0x190 [kunit]
 kunit_run_case_catch_errors+0x64/0xb0 [kunit]
 kunit_run_tests+0x3b8/0x6cb [kunit]
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __cfi_kunit_try_run_case_cleanup+0x10/0x10 [kunit]
 ? __cfi_kunit_catch_run_case_cleanup+0x10/0x10 [kunit]
 __kunit_test_suites_init+0x5b/0x90 [kunit]
 kunit_module_notify+0x12a/0x190 [kunit]
 notifier_call_chain+0x77/0xb5
 blocking_notifier_call_chain+0x3b/0x70
 do_init_module+0xa4/0x220
 __se_sys_finit_module+0x1bd/0x295
 do_syscall_64+0x7d/0x100
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? ksys_lseek+0x5e/0xb0
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? syscall_exit_to_user_mode+0x23/0xc0
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? do_syscall_64+0x89/0x100
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? do_syscall_64+0x89/0x100
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? do_syscall_64+0x89/0x100
 entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fb447d59479
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 87 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe03034818 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 0000560744c11e70 RCX: 00007fb447d59479
RDX: 0000000000000000 RSI: 00005607434b0c7c RDI: 0000000000000004
RBP: 0000000000000000 R08: 00007fb447e22b20 R09: 0000000000000000
R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000040000
R13: 00005607434b0c7c R14: 0000560744c11d80 R15: 0000000000000000
 </TASK>
Modules linked in: drm_format_helper_test drm_kunit_helpers cpumask_kunit cmdline_kunit checksum_kunit kunit bitfield_kunit rfkill dm_crypt nhpoly1305_avx2 nhpoly1305 chacha_generic chacha_x86_64 libchacha adiantum libpoly1305 algif_skcipher input_leds joydev hid_generic usbhid hid amdgpu snd_hda_codec_hdmi mfd_core snd_hda_intel gpu_sched snd_intel_dspcfg amdxcp drm_suballoc_helper snd_hda_codec i2c_algo_bit snd_hwdep amd64_edac edac_mce_amd snd_hda_core video snd_pcm drm_ttm_helper wmi_bmof evdev ttm snd_timer drm_exec snd drm_display_helper kvm_amd soundcore rapl drm_buddy k10temp wmi gpio_amdpt gpio_generic button lz4 lz4_compress lz4_decompress zram sg nct6775 hwmon_vid nct6775_core hwmon loop configfs sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 sha1_generic aesni_intel libaes crypto_simd ccp cryptd xhci_pci xhci_hcd usbcore usb_common sunrpc dm_mod pkcs8_key_parser efivarfs
---[ end trace 0000000000000000 ]---
RIP: 0010:__kunit_action_free+0x18/0x20 [kunit]
Code: 00 00 b8 64 d6 71 24 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 4c 8b 5f 38 48 8b 7f 40 41 ba 17 15 53 7e 45 03 53 f1 74 02 <0f> 0b 2e e9 00 a1 0b e6 b8 30 72 86 37 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffb83682657e90 EFLAGS: 00010217
RAX: 0000000000000001 RBX: ffff9a3bc0c91b08 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9a3c2c33c000
RBP: ffffb8368259f878 R08: 0000000000000000 R09: 0000000000000000
R10: 000000003507d306 R11: ffffffffa62222e0 R12: 0000000000000296
R13: ffffb8368259fac0 R14: ffffb8368259faa0 R15: ffff9a3bc0c91b28
FS:  00007fb447c4dc40(0000) GS:ffff9a42deac0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd2267e488 CR3: 0000000174ec6000 CR4: 0000000000b50ef0

It's no hard crash, the machine stays useable via VNC/ssh and can be shut down.

Full dmesg + kernel .config attached.
config_675_zen3.txt
dmesg_675_zen3.txt

Metadata

Metadata

Assignees

No one assigned

    Labels

    [ARCH] x86_64This bug impacts ARCH=x86_64[BUG] linux-stableA bug that is present in linux-stable and not mainline.[FEATURE] CFIRelated to building the kernel with Clang Control Flow Integrity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions