[2/4] fpga: add a platform driver to the FPGA Manager test suite

Message ID 20230926163911.66114-3-marpagan@redhat.com
State New
Headers
Series fpga: add platform drivers to the FPGA KUnit test suites |

Commit Message

Marco Pagani Sept. 26, 2023, 4:39 p.m. UTC
  Register a minimal platform driver associated with the parent platform
device used for testing to prevent a null-ptr-deref when try_module_get()
is called by fpga_mgr_get().

Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager")
Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
Signed-off-by: Marco Pagani <marpagan@redhat.com>
---
 drivers/fpga/tests/fpga-mgr-test.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)
  

Comments

Jinjie Ruan Sept. 27, 2023, 2:55 a.m. UTC | #1
On 2023/9/27 0:39, Marco Pagani wrote:
> Register a minimal platform driver associated with the parent platform
> device used for testing to prevent a null-ptr-deref when try_module_get()
> is called by fpga_mgr_get().
> 
> Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager")
> Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
> Signed-off-by: Marco Pagani <marpagan@redhat.com>
> ---
>  drivers/fpga/tests/fpga-mgr-test.c | 18 +++++++++++++++++-
>  1 file changed, 17 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/fpga/tests/fpga-mgr-test.c b/drivers/fpga/tests/fpga-mgr-test.c
> index 6acec55b60ce..30de474d7def 100644
> --- a/drivers/fpga/tests/fpga-mgr-test.c
> +++ b/drivers/fpga/tests/fpga-mgr-test.c
> @@ -14,6 +14,8 @@
>  #include <linux/scatterlist.h>
>  #include <linux/types.h>
>  
> +#include "fpga-test-helpers.h"
> +
>  #define HEADER_FILL		'H'
>  #define IMAGE_FILL		'P'
>  #define IMAGE_BLOCK		1024
> @@ -277,6 +279,18 @@ static void fpga_mgr_test_img_load_sgt(struct kunit *test)
>  	sg_free_table(ctx->img_info->sgt);
>  }
>  
> +TEST_PLATFORM_DRIVER(test_platform_driver);
> +
> +static int fpga_mgr_test_suite_init(struct kunit_suite *suite)
> +{
> +	return platform_driver_register(&test_platform_driver);

modprobe fpga-mgr-test and there is still a null-ptr-deref.

root@syzkaller:~# modprobe fpga-mgr-test
[   45.088127] KTAP version 1
[   45.088354] 1..1
[   45.089520] ------------[ cut here ]------------
[   45.089861] kobject: '(null)' (ffffffffa02121d0): is not initialized,
yet kobject_get() is being called.
[   45.090608] WARNING: CPU: 1 PID: 1862 at lib/kobject.c:637
kobject_get+0x98/0xe0
[   45.091209] Modules linked in: fpga_mgr_test(+)
[   45.091581] CPU: 1 PID: 1862 Comm: modprobe Tainted: G
 N 6.6.0-rc3+ #54
[   45.092201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[   45.092870] RIP: 0010:kobject_get+0x98/0xe0
[   45.093200] Code: 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03
80 3c 02 00 75 44 49 8b 34 24 4c 89 e2 48 c7 c7 20 63 ac 84 e8 38 fe 24
fd <0f> 0b eb a2 48 89 ef be 01 00 00 00 e8 d7 de a4 fe 4c 89 e0 5d 41
[   45.094653] RSP: 0018:ffff8881062f7298 EFLAGS: 00010286
[   45.095086] RAX: 0000000000000000 RBX: ffffffff848a3660 RCX:
0000000000000000
[   45.095649] RDX: 0000000000000002 RSI: ffffffff847b4d40 RDI:
0000000000000001
[   45.096205] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
ffffed1020c5ee12
[   45.096761] R10: ffff8881062f7097 R11: 3a7463656a626f6b R12:
ffffffffa02121d0
[   45.097315] R13: ffff888101b6d858 R14: ffffffffa02121d0 R15:
ffff88810661aca0
[   45.097863] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
knlGS:0000000000000000
[   45.098485] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   45.098933] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
0000000000770ee0
[   45.099497] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   45.100054] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   45.100615] PKRU: 55555554
[   45.100833] Call Trace:
[   45.101034]  <TASK>
[   45.101206]  ? __warn+0xc9/0x260
[   45.101480]  ? irq_work_queue+0x35/0x50
[   45.101786]  ? kobject_get+0x98/0xe0
[   45.102073]  ? report_bug+0x345/0x400
[   45.102377]  ? handle_bug+0x3c/0x70
[   45.102661]  ? exc_invalid_op+0x14/0x40
[   45.102968]  ? asm_exc_invalid_op+0x16/0x20
[   45.103317]  ? kobject_get+0x98/0xe0
[   45.103604]  ? kobject_get+0x98/0xe0
[   45.103892]  kobject_add_internal+0x9e/0x870
[   45.104235]  kobject_add+0x120/0x1f0
[   45.104535]  ? kset_create_and_add+0x160/0x160
[   45.104892]  ? __kmem_cache_alloc_node+0x1d2/0x350
[   45.105269]  ? _raw_spin_lock+0x87/0xe0
[   45.105586]  ? kobject_create_and_add+0x3c/0xb0
[   45.105948]  kobject_create_and_add+0x68/0xb0
[   45.106303]  module_add_driver+0x260/0x350
[   45.106635]  bus_add_driver+0x2c9/0x580
[   45.106941]  driver_register+0x133/0x460
[   45.107284]  kunit_run_tests+0xdb/0xef0
[   45.107599]  ? _raw_spin_lock_irqsave+0x8d/0xe0
[   45.107962]  ? __sched_text_end+0xa/0xa
[   45.108284]  ? _raw_spin_unlock_irqrestore+0x42/0x80
[   45.108675]  ? __kunit_test_suites_exit+0x80/0x80
[   45.109045]  ? set_track_prepare+0x8a/0xd0
[   45.109380]  ? get_object+0x70/0x70
[   45.109658]  ? alloc_inode+0x12a/0x1e0
[   45.109960]  ? new_inode+0x14/0x230
[   45.110238]  ? __debugfs_create_file+0xc8/0x5d0
[   45.110607]  ? __kunit_test_suites_init+0x73/0x140
[   45.110982]  ? kunit_module_notify+0x3ab/0x440
[   45.111341]  ? notifier_call_chain+0xbf/0x280
[   45.111688]  ? _raw_spin_lock_irqsave+0x8d/0xe0
[   45.112045]  ? __sched_text_end+0xa/0xa
[   45.112362]  ? projid_m_show+0x200/0x200
[   45.112671]  ? kasan_set_track+0x21/0x30
[   45.112974]  ? _raw_spin_lock+0x87/0xe0
[   45.113290]  ? _raw_spin_lock_bh+0xe0/0xe0
[   45.113615]  ? _raw_spin_lock+0x87/0xe0
[   45.113914]  ? __d_instantiate+0x1d5/0x3b0
[   45.114232]  ? alloc_inode+0x72/0x1e0
[   45.114535]  ? up_write+0x6d/0xa0
[   45.114803]  ? __debugfs_create_file+0x3b5/0x5d0
[   45.115180]  __kunit_test_suites_init+0xde/0x140
[   45.115557]  kunit_module_notify+0x3ab/0x440
[   45.115895]  ? __kunit_test_suites_init+0x140/0x140
[   45.116287]  ? preempt_count_add+0x79/0x150
[   45.116623]  notifier_call_chain+0xbf/0x280
[   45.116953]  ? kasan_quarantine_put+0x21/0x1a0
[   45.117311]  blocking_notifier_call_chain_robust+0xbb/0x140
[   45.117747]  ? notifier_call_chain+0x280/0x280
[   45.118097]  ? 0xffffffffa0208000
[   45.118372]  load_module+0x4af0/0x67d0
[   45.118671]  ? module_frob_arch_sections+0x20/0x20
[   45.119057]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
[   45.119476]  ? kernel_read_file+0x3ca/0x510
[   45.119807]  ? __x64_sys_fspick+0x2a0/0x2a0
[   45.120134]  ? init_module_from_file+0xd2/0x130
[   45.120499]  init_module_from_file+0xd2/0x130
[   45.120843]  ? __ia32_sys_init_module+0xa0/0xa0
[   45.121203]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
[   45.121589]  ? _raw_spin_lock_bh+0xe0/0xe0
[   45.121916]  idempotent_init_module+0x339/0x610
[   45.122286]  ? init_module_from_file+0x130/0x130
[   45.122648]  ? __fget_light+0x57/0x500
[   45.122950]  __x64_sys_finit_module+0xba/0x130
[   45.123323]  do_syscall_64+0x35/0x80
[   45.123607]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   45.124001] RIP: 0033:0x7fabf471b839
[   45.124303] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[   45.125754] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[   45.126359] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
00007fabf471b839
[   45.126921] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
0000000000000003
[   45.127505] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
000055578e373210
[   45.128057] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[   45.128621] R13: 000055578e370f30 R14: 0000000000040000 R15:
000055578e370e10
[   45.129183]  </TASK>
[   45.129376] ---[ end trace 0000000000000000 ]---
[   45.129744] ------------[ cut here ]------------
[   45.130109] refcount_t: addition on 0; use-after-free.
[   45.130555] WARNING: CPU: 1 PID: 1862 at lib/refcount.c:25
refcount_warn_saturate+0x120/0x190
[   45.131214] Modules linked in: fpga_mgr_test(+)
[   45.131588] CPU: 1 PID: 1862 Comm: modprobe Tainted: G        W
 N 6.6.0-rc3+ #54
[   45.132205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[   45.132854] RIP: 0010:refcount_warn_saturate+0x120/0x190
[   45.133262] Code: 1d bc 3f 40 0a 80 fb 01 0f 87 5a f8 67 01 83 e3 01
0f 85 5d ff ff ff 48 c7 c7 e0 99 7a 84 c6 05 9c 3f 40 0a 01 e8 30 1e 80
fe <0f> 0b e9 43 ff ff ff 0f b6 1d 86 3f 40 0a 80 fb 01 0f 87 4f f8 67
[   45.134712] RSP: 0018:ffff8881062f7280 EFLAGS: 00010286
[   45.135138] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000000000
[   45.135698] RDX: 0000000000000002 RSI: ffffffff847b4d40 RDI:
0000000000000001
[   45.136244] RBP: 0000000000000002 R08: 0000000000000001 R09:
ffffed1020c5ee0f
[   45.136804] R10: ffff8881062f707f R11: 746e756f63666572 R12:
ffffffffa02121d0
[   45.137367] R13: ffff888101b6d858 R14: ffffffffa02121d0 R15:
ffff88810661aca0
[   45.137919] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
knlGS:0000000000000000
[   45.138551] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   45.139007] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
0000000000770ee0
[   45.139566] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   45.140116] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   45.140669] PKRU: 55555554
[   45.140882] Call Trace:
[   45.141084]  <TASK>
[   45.141254]  ? __warn+0xc9/0x260
[   45.141520]  ? refcount_warn_saturate+0x120/0x190
[   45.141889]  ? report_bug+0x345/0x400
[   45.142176]  ? handle_bug+0x3c/0x70
[   45.142461]  ? exc_invalid_op+0x14/0x40
[   45.142767]  ? asm_exc_invalid_op+0x16/0x20
[   45.143101]  ? refcount_warn_saturate+0x120/0x190
[   45.143474]  kobject_get+0xbd/0xe0
[   45.143745]  kobject_add_internal+0x9e/0x870
[   45.144084]  kobject_add+0x120/0x1f0
[   45.144378]  ? kset_create_and_add+0x160/0x160
[   45.144732]  ? __kmem_cache_alloc_node+0x1d2/0x350
[   45.145109]  ? _raw_spin_lock+0x87/0xe0
[   45.145426]  ? kobject_create_and_add+0x3c/0xb0
[   45.145787]  kobject_create_and_add+0x68/0xb0
[   45.146130]  module_add_driver+0x260/0x350
[   45.146465]  bus_add_driver+0x2c9/0x580
[   45.146762]  driver_register+0x133/0x460
[   45.147084]  kunit_run_tests+0xdb/0xef0
[   45.147404]  ? _raw_spin_lock_irqsave+0x8d/0xe0
[   45.147754]  ? __sched_text_end+0xa/0xa
[   45.148056]  ? _raw_spin_unlock_irqrestore+0x42/0x80
[   45.148456]  ? __kunit_test_suites_exit+0x80/0x80
[   45.148817]  ? set_track_prepare+0x8a/0xd0
[   45.149145]  ? get_object+0x70/0x70
[   45.149425]  ? alloc_inode+0x12a/0x1e0
[   45.149716]  ? new_inode+0x14/0x230
[   45.149989]  ? __debugfs_create_file+0xc8/0x5d0
[   45.150347]  ? __kunit_test_suites_init+0x73/0x140
[   45.150724]  ? kunit_module_notify+0x3ab/0x440
[   45.151074]  ? notifier_call_chain+0xbf/0x280
[   45.151420]  ? _raw_spin_lock_irqsave+0x8d/0xe0
[   45.151772]  ? __sched_text_end+0xa/0xa
[   45.152079]  ? projid_m_show+0x200/0x200
[   45.152403]  ? kasan_set_track+0x21/0x30
[   45.152712]  ? _raw_spin_lock+0x87/0xe0
[   45.153010]  ? _raw_spin_lock_bh+0xe0/0xe0
[   45.153333]  ? _raw_spin_lock+0x87/0xe0
[   45.153635]  ? __d_instantiate+0x1d5/0x3b0
[   45.153953]  ? alloc_inode+0x72/0x1e0
[   45.154235]  ? up_write+0x6d/0xa0
[   45.154509]  ? __debugfs_create_file+0x3b5/0x5d0
[   45.154869]  __kunit_test_suites_init+0xde/0x140
[   45.155222]  kunit_module_notify+0x3ab/0x440
[   45.155560]  ? __kunit_test_suites_init+0x140/0x140
[   45.155938]  ? preempt_count_add+0x79/0x150
[   45.156259]  notifier_call_chain+0xbf/0x280
[   45.156591]  ? kasan_quarantine_put+0x21/0x1a0
[   45.156937]  blocking_notifier_call_chain_robust+0xbb/0x140
[   45.157371]  ? notifier_call_chain+0x280/0x280
[   45.157713]  ? 0xffffffffa0208000
[   45.157967]  load_module+0x4af0/0x67d0
[   45.158255]  ? module_frob_arch_sections+0x20/0x20
[   45.158630]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
[   45.159025]  ? kernel_read_file+0x3ca/0x510
[   45.159353]  ? __x64_sys_fspick+0x2a0/0x2a0
[   45.159673]  ? init_module_from_file+0xd2/0x130
[   45.160014]  init_module_from_file+0xd2/0x130
[   45.160356]  ? __ia32_sys_init_module+0xa0/0xa0
[   45.160702]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
[   45.161058]  ? _raw_spin_lock_bh+0xe0/0xe0
[   45.161386]  idempotent_init_module+0x339/0x610
[   45.161727]  ? init_module_from_file+0x130/0x130
[   45.162081]  ? __fget_light+0x57/0x500
[   45.162378]  __x64_sys_finit_module+0xba/0x130
[   45.162720]  do_syscall_64+0x35/0x80
[   45.162989]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   45.163380] RIP: 0033:0x7fabf471b839
[   45.163655] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[   45.165049] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[   45.165627] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
00007fabf471b839
[   45.166168] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
0000000000000003
[   45.166733] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
000055578e373210
[   45.167297] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[   45.167847] R13: 000055578e370f30 R14: 0000000000040000 R15:
000055578e370e10
[   45.168404]  </TASK>
[   45.168579] ---[ end trace 0000000000000000 ]---
[   45.168952] general protection fault, probably for non-canonical
address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
[   45.169771] KASAN: null-ptr-deref in range
[0x0000000000000018-0x000000000000001f]
[   45.170336] CPU: 1 PID: 1862 Comm: modprobe Tainted: G        W
 N 6.6.0-rc3+ #54
[   45.170935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[   45.171562] RIP: 0010:kobject_namespace+0x71/0x150
[   45.171933] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cd 00 00 00 48
b8 00 00 00 00 00 fc ff df 49 8b 5c 24 28 48 8d 7b 18 48 89 fa 48 c1 ea
03 <80> 3c 02 00 0f 85 c1 00 00 00 48 8b 43 18 48 85 c0 74 79 4c 89 e7
[   45.173324] RSP: 0018:ffff8881062f7288 EFLAGS: 00010206
[   45.173716] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
0000000000000000
[   45.174245] RDX: 0000000000000003 RSI: ffffffff847b4d40 RDI:
0000000000000018
[   45.174777] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
ffffed1020c5ee0f
[   45.175317] R10: ffff8881062f707f R11: 746e756f63666572 R12:
ffffffffa02121d0
[   45.175847] R13: ffff888101b6d858 R14: ffff888101b6d868 R15:
ffffffff84ac7020
[   45.176377] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
knlGS:0000000000000000
[   45.176977] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   45.177413] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
0000000000770ee0
[   45.177946] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   45.178479] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   45.179016] PKRU: 55555554
[   45.179227] Call Trace:
[   45.179418]  <TASK>
[   45.179584]  ? die_addr+0x3d/0xa0
[   45.179843]  ? exc_general_protection+0x144/0x220
[   45.180202]  ? asm_exc_general_protection+0x22/0x30
[   45.180570]  ? kobject_namespace+0x71/0x150
[   45.180886]  kobject_add_internal+0x267/0x870
[   45.181221]  kobject_add+0x120/0x1f0
[   45.181497]  ? kset_create_and_add+0x160/0x160
[   45.181828]  ? __kmem_cache_alloc_node+0x1d2/0x350
[   45.182188]  ? _raw_spin_lock+0x87/0xe0
[   45.182480]  ? kobject_create_and_add+0x3c/0xb0
[   45.182822]  kobject_create_and_add+0x68/0xb0
[   45.183159]  module_add_driver+0x260/0x350
[   45.183472]  bus_add_driver+0x2c9/0x580
[   45.183764]  driver_register+0x133/0x460
[   45.184061]  kunit_run_tests+0xdb/0xef0
[   45.184354]  ? _raw_spin_lock_irqsave+0x8d/0xe0
[   45.184700]  ? __sched_text_end+0xa/0xa
[   45.184993]  ? _raw_spin_unlock_irqrestore+0x42/0x80
[   45.185365]  ? __kunit_test_suites_exit+0x80/0x80
[   45.185718]  ? set_track_prepare+0x8a/0xd0
[   45.186027]  ? get_object+0x70/0x70
[   45.186296]  ? alloc_inode+0x12a/0x1e0
[   45.186578]  ? new_inode+0x14/0x230
[   45.186848]  ? __debugfs_create_file+0xc8/0x5d0
[   45.187199]  ? __kunit_test_suites_init+0x73/0x140
[   45.187563]  ? kunit_module_notify+0x3ab/0x440
[   45.187905]  ? notifier_call_chain+0xbf/0x280
[   45.188232]  ? _raw_spin_lock_irqsave+0x8d/0xe0
[   45.188574]  ? __sched_text_end+0xa/0xa
[   45.188862]  ? projid_m_show+0x200/0x200
[   45.189158]  ? kasan_set_track+0x21/0x30
[   45.189457]  ? _raw_spin_lock+0x87/0xe0
[   45.189747]  ? _raw_spin_lock_bh+0xe0/0xe0
[   45.190054]  ? _raw_spin_lock+0x87/0xe0
[   45.190345]  ? __d_instantiate+0x1d5/0x3b0
[   45.190657]  ? alloc_inode+0x72/0x1e0
[   45.190935]  ? up_write+0x6d/0xa0
[   45.191191]  ? __debugfs_create_file+0x3b5/0x5d0
[   45.191545]  __kunit_test_suites_init+0xde/0x140
[   45.191904]  kunit_module_notify+0x3ab/0x440
[   45.192226]  ? __kunit_test_suites_init+0x140/0x140
[   45.192601]  ? preempt_count_add+0x79/0x150
[   45.192927]  notifier_call_chain+0xbf/0x280
[   45.193244]  ? kasan_quarantine_put+0x21/0x1a0
[   45.193586]  blocking_notifier_call_chain_robust+0xbb/0x140
[   45.194015]  ? notifier_call_chain+0x280/0x280
[   45.194360]  ? 0xffffffffa0208000
[   45.194614]  load_module+0x4af0/0x67d0
[   45.194909]  ? module_frob_arch_sections+0x20/0x20
[   45.195274]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
[   45.195672]  ? kernel_read_file+0x3ca/0x510
[   45.195997]  ? __x64_sys_fspick+0x2a0/0x2a0
[   45.196319]  ? init_module_from_file+0xd2/0x130
[   45.196675]  init_module_from_file+0xd2/0x130
[   45.197006]  ? __ia32_sys_init_module+0xa0/0xa0
[   45.197352]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
[   45.197724]  ? _raw_spin_lock_bh+0xe0/0xe0
[   45.198044]  idempotent_init_module+0x339/0x610
[   45.198392]  ? init_module_from_file+0x130/0x130
[   45.198748]  ? __fget_light+0x57/0x500
[   45.199043]  __x64_sys_finit_module+0xba/0x130
[   45.199389]  do_syscall_64+0x35/0x80
[   45.199664]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   45.200050] RIP: 0033:0x7fabf471b839
[   45.200325] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[   45.201713] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[   45.202278] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
00007fabf471b839
[   45.202816] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
0000000000000003
[   45.203348] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
000055578e373210
[   45.203886] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[   45.204426] R13: 000055578e370f30 R14: 0000000000040000 R15:
000055578e370e10
[   45.204962]  </TASK>
[   45.205140] Modules linked in: fpga_mgr_test(+)
[   45.205500] Dumping ftrace buffer:
[   45.205768]    (ftrace buffer empty)
[   45.206066] ---[ end trace 0000000000000000 ]---
[   45.206477] RIP: 0010:kobject_namespace+0x71/0x150
[   45.206850] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cd 00 00 00 48
b8 00 00 00 00 00 fc ff df 49 8b 5c 24 28 48 8d 7b 18 48 89 fa 48 c1 ea
03 <80> 3c 02 00 0f 85 c1 00 00 00 48 8b 43 18 48 85 c0 74 79 4c 89 e7
[   45.208501] RSP: 0018:ffff8881062f7288 EFLAGS: 00010206
[   45.209015] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
0000000000000000
[   45.209708] RDX: 0000000000000003 RSI: ffffffff847b4d40 RDI:
0000000000000018
[   45.210473] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
ffffed1020c5ee0f
[   45.211142] R10: ffff8881062f707f R11: 746e756f63666572 R12:
ffffffffa02121d0
[   45.211898] R13: ffff888101b6d858 R14: ffff888101b6d868 R15:
ffffffff84ac7020
[   45.212653] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
knlGS:0000000000000000
[   45.213441] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   45.213970] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
0000000000770ee0
[   45.214716] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   45.215424] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   45.216089] PKRU: 55555554
[   45.216440] Kernel panic - not syncing: Fatal exception
[   45.217935] Dumping ftrace buffer:
[   45.218195]    (ftrace buffer empty)
[   45.218473] Kernel Offset: disabled
[   45.218740] Rebooting in 1 seconds..

> +}
> +
> +static void fpga_mgr_test_suite_exit(struct kunit_suite *suite)
> +{
> +	platform_driver_unregister(&test_platform_driver);
> +}
> +
>  static int fpga_mgr_test_init(struct kunit *test)
>  {
>  	struct mgr_ctx *ctx;
> @@ -284,7 +298,7 @@ static int fpga_mgr_test_init(struct kunit *test)
>  	ctx = kunit_kzalloc(test, sizeof(*ctx), GFP_KERNEL);
>  	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx);
>  
> -	ctx->pdev = platform_device_register_simple("mgr_pdev", PLATFORM_DEVID_AUTO, NULL, 0);
> +	ctx->pdev = platform_device_register_simple(TEST_PDEV_NAME, PLATFORM_DEVID_AUTO, NULL, 0);
>  	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx->pdev);
>  
>  	ctx->mgr = devm_fpga_mgr_register(&ctx->pdev->dev, "Fake FPGA Manager", &fake_mgr_ops,
> @@ -317,6 +331,8 @@ static struct kunit_case fpga_mgr_test_cases[] = {
>  
>  static struct kunit_suite fpga_mgr_suite = {
>  	.name = "fpga_mgr",
> +	.suite_init = fpga_mgr_test_suite_init,
> +	.suite_exit = fpga_mgr_test_suite_exit,
>  	.init = fpga_mgr_test_init,
>  	.exit = fpga_mgr_test_exit,
>  	.test_cases = fpga_mgr_test_cases,
  
Marco Pagani Sept. 27, 2023, 4:56 p.m. UTC | #2
On 2023-09-27 04:55, Ruan Jinjie wrote:
> 
> 
> On 2023/9/27 0:39, Marco Pagani wrote:
>> Register a minimal platform driver associated with the parent platform
>> device used for testing to prevent a null-ptr-deref when try_module_get()
>> is called by fpga_mgr_get().
>>
>> Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager")
>> Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
>> Signed-off-by: Marco Pagani <marpagan@redhat.com>
>> ---
>>  drivers/fpga/tests/fpga-mgr-test.c | 18 +++++++++++++++++-
>>  1 file changed, 17 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/fpga/tests/fpga-mgr-test.c b/drivers/fpga/tests/fpga-mgr-test.c
>> index 6acec55b60ce..30de474d7def 100644
>> --- a/drivers/fpga/tests/fpga-mgr-test.c
>> +++ b/drivers/fpga/tests/fpga-mgr-test.c
>> @@ -14,6 +14,8 @@
>>  #include <linux/scatterlist.h>
>>  #include <linux/types.h>
>>  
>> +#include "fpga-test-helpers.h"
>> +
>>  #define HEADER_FILL		'H'
>>  #define IMAGE_FILL		'P'
>>  #define IMAGE_BLOCK		1024
>> @@ -277,6 +279,18 @@ static void fpga_mgr_test_img_load_sgt(struct kunit *test)
>>  	sg_free_table(ctx->img_info->sgt);
>>  }
>>  
>> +TEST_PLATFORM_DRIVER(test_platform_driver);
>> +
>> +static int fpga_mgr_test_suite_init(struct kunit_suite *suite)
>> +{
>> +	return platform_driver_register(&test_platform_driver);
> 
> modprobe fpga-mgr-test and there is still a null-ptr-deref.


These issues appear to be caused by your commit 2810c1e99867 ("kunit: Fix
wild-memory-access bug in kunit_free_suite_set()") that causes all test
suites to run while modules are still in MODULE_STATE_COMING. In that
state, modules are not yet fully initialized lacking sysfs' kobjects
and hence causing module_add_driver() to fail.

You can test it by running the FPGA suites on a kernel before commit
2810c1e99867. I sent an RFC patch to restore the normal execution
flow and use the refcount to avoid calling kunit_free_suite_set() if
load_module() fails.

Thanks,
Marco


> 
> root@syzkaller:~# modprobe fpga-mgr-test
> [   45.088127] KTAP version 1
> [   45.088354] 1..1
> [   45.089520] ------------[ cut here ]------------
> [   45.089861] kobject: '(null)' (ffffffffa02121d0): is not initialized,
> yet kobject_get() is being called.
> [   45.090608] WARNING: CPU: 1 PID: 1862 at lib/kobject.c:637
> kobject_get+0x98/0xe0
> [   45.091209] Modules linked in: fpga_mgr_test(+)
> [   45.091581] CPU: 1 PID: 1862 Comm: modprobe Tainted: G
>  N 6.6.0-rc3+ #54
> [   45.092201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.15.0-1 04/01/2014
> [   45.092870] RIP: 0010:kobject_get+0x98/0xe0
> [   45.093200] Code: 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03
> 80 3c 02 00 75 44 49 8b 34 24 4c 89 e2 48 c7 c7 20 63 ac 84 e8 38 fe 24
> fd <0f> 0b eb a2 48 89 ef be 01 00 00 00 e8 d7 de a4 fe 4c 89 e0 5d 41
> [   45.094653] RSP: 0018:ffff8881062f7298 EFLAGS: 00010286
> [   45.095086] RAX: 0000000000000000 RBX: ffffffff848a3660 RCX:
> 0000000000000000
> [   45.095649] RDX: 0000000000000002 RSI: ffffffff847b4d40 RDI:
> 0000000000000001
> [   45.096205] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
> ffffed1020c5ee12
> [   45.096761] R10: ffff8881062f7097 R11: 3a7463656a626f6b R12:
> ffffffffa02121d0
> [   45.097315] R13: ffff888101b6d858 R14: ffffffffa02121d0 R15:
> ffff88810661aca0
> [   45.097863] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
> knlGS:0000000000000000
> [   45.098485] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   45.098933] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
> 0000000000770ee0
> [   45.099497] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [   45.100054] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [   45.100615] PKRU: 55555554
> [   45.100833] Call Trace:
> [   45.101034]  <TASK>
> [   45.101206]  ? __warn+0xc9/0x260
> [   45.101480]  ? irq_work_queue+0x35/0x50
> [   45.101786]  ? kobject_get+0x98/0xe0
> [   45.102073]  ? report_bug+0x345/0x400
> [   45.102377]  ? handle_bug+0x3c/0x70
> [   45.102661]  ? exc_invalid_op+0x14/0x40
> [   45.102968]  ? asm_exc_invalid_op+0x16/0x20
> [   45.103317]  ? kobject_get+0x98/0xe0
> [   45.103604]  ? kobject_get+0x98/0xe0
> [   45.103892]  kobject_add_internal+0x9e/0x870
> [   45.104235]  kobject_add+0x120/0x1f0
> [   45.104535]  ? kset_create_and_add+0x160/0x160
> [   45.104892]  ? __kmem_cache_alloc_node+0x1d2/0x350
> [   45.105269]  ? _raw_spin_lock+0x87/0xe0
> [   45.105586]  ? kobject_create_and_add+0x3c/0xb0
> [   45.105948]  kobject_create_and_add+0x68/0xb0
> [   45.106303]  module_add_driver+0x260/0x350
> [   45.106635]  bus_add_driver+0x2c9/0x580
> [   45.106941]  driver_register+0x133/0x460
> [   45.107284]  kunit_run_tests+0xdb/0xef0
> [   45.107599]  ? _raw_spin_lock_irqsave+0x8d/0xe0
> [   45.107962]  ? __sched_text_end+0xa/0xa
> [   45.108284]  ? _raw_spin_unlock_irqrestore+0x42/0x80
> [   45.108675]  ? __kunit_test_suites_exit+0x80/0x80
> [   45.109045]  ? set_track_prepare+0x8a/0xd0
> [   45.109380]  ? get_object+0x70/0x70
> [   45.109658]  ? alloc_inode+0x12a/0x1e0
> [   45.109960]  ? new_inode+0x14/0x230
> [   45.110238]  ? __debugfs_create_file+0xc8/0x5d0
> [   45.110607]  ? __kunit_test_suites_init+0x73/0x140
> [   45.110982]  ? kunit_module_notify+0x3ab/0x440
> [   45.111341]  ? notifier_call_chain+0xbf/0x280
> [   45.111688]  ? _raw_spin_lock_irqsave+0x8d/0xe0
> [   45.112045]  ? __sched_text_end+0xa/0xa
> [   45.112362]  ? projid_m_show+0x200/0x200
> [   45.112671]  ? kasan_set_track+0x21/0x30
> [   45.112974]  ? _raw_spin_lock+0x87/0xe0
> [   45.113290]  ? _raw_spin_lock_bh+0xe0/0xe0
> [   45.113615]  ? _raw_spin_lock+0x87/0xe0
> [   45.113914]  ? __d_instantiate+0x1d5/0x3b0
> [   45.114232]  ? alloc_inode+0x72/0x1e0
> [   45.114535]  ? up_write+0x6d/0xa0
> [   45.114803]  ? __debugfs_create_file+0x3b5/0x5d0
> [   45.115180]  __kunit_test_suites_init+0xde/0x140
> [   45.115557]  kunit_module_notify+0x3ab/0x440
> [   45.115895]  ? __kunit_test_suites_init+0x140/0x140
> [   45.116287]  ? preempt_count_add+0x79/0x150
> [   45.116623]  notifier_call_chain+0xbf/0x280
> [   45.116953]  ? kasan_quarantine_put+0x21/0x1a0
> [   45.117311]  blocking_notifier_call_chain_robust+0xbb/0x140
> [   45.117747]  ? notifier_call_chain+0x280/0x280
> [   45.118097]  ? 0xffffffffa0208000
> [   45.118372]  load_module+0x4af0/0x67d0
> [   45.118671]  ? module_frob_arch_sections+0x20/0x20
> [   45.119057]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
> [   45.119476]  ? kernel_read_file+0x3ca/0x510
> [   45.119807]  ? __x64_sys_fspick+0x2a0/0x2a0
> [   45.120134]  ? init_module_from_file+0xd2/0x130
> [   45.120499]  init_module_from_file+0xd2/0x130
> [   45.120843]  ? __ia32_sys_init_module+0xa0/0xa0
> [   45.121203]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
> [   45.121589]  ? _raw_spin_lock_bh+0xe0/0xe0
> [   45.121916]  idempotent_init_module+0x339/0x610
> [   45.122286]  ? init_module_from_file+0x130/0x130
> [   45.122648]  ? __fget_light+0x57/0x500
> [   45.122950]  __x64_sys_finit_module+0xba/0x130
> [   45.123323]  do_syscall_64+0x35/0x80
> [   45.123607]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
> [   45.124001] RIP: 0033:0x7fabf471b839
> [   45.124303] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
> 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
> [   45.125754] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
> 0000000000000139
> [   45.126359] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
> 00007fabf471b839
> [   45.126921] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
> 0000000000000003
> [   45.127505] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
> 000055578e373210
> [   45.128057] R10: 0000000000000003 R11: 0000000000000246 R12:
> 0000000000000000
> [   45.128621] R13: 000055578e370f30 R14: 0000000000040000 R15:
> 000055578e370e10
> [   45.129183]  </TASK>
> [   45.129376] ---[ end trace 0000000000000000 ]---
> [   45.129744] ------------[ cut here ]------------
> [   45.130109] refcount_t: addition on 0; use-after-free.
> [   45.130555] WARNING: CPU: 1 PID: 1862 at lib/refcount.c:25
> refcount_warn_saturate+0x120/0x190
> [   45.131214] Modules linked in: fpga_mgr_test(+)
> [   45.131588] CPU: 1 PID: 1862 Comm: modprobe Tainted: G        W
>  N 6.6.0-rc3+ #54
> [   45.132205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.15.0-1 04/01/2014
> [   45.132854] RIP: 0010:refcount_warn_saturate+0x120/0x190
> [   45.133262] Code: 1d bc 3f 40 0a 80 fb 01 0f 87 5a f8 67 01 83 e3 01
> 0f 85 5d ff ff ff 48 c7 c7 e0 99 7a 84 c6 05 9c 3f 40 0a 01 e8 30 1e 80
> fe <0f> 0b e9 43 ff ff ff 0f b6 1d 86 3f 40 0a 80 fb 01 0f 87 4f f8 67
> [   45.134712] RSP: 0018:ffff8881062f7280 EFLAGS: 00010286
> [   45.135138] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
> 0000000000000000
> [   45.135698] RDX: 0000000000000002 RSI: ffffffff847b4d40 RDI:
> 0000000000000001
> [   45.136244] RBP: 0000000000000002 R08: 0000000000000001 R09:
> ffffed1020c5ee0f
> [   45.136804] R10: ffff8881062f707f R11: 746e756f63666572 R12:
> ffffffffa02121d0
> [   45.137367] R13: ffff888101b6d858 R14: ffffffffa02121d0 R15:
> ffff88810661aca0
> [   45.137919] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
> knlGS:0000000000000000
> [   45.138551] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   45.139007] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
> 0000000000770ee0
> [   45.139566] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [   45.140116] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [   45.140669] PKRU: 55555554
> [   45.140882] Call Trace:
> [   45.141084]  <TASK>
> [   45.141254]  ? __warn+0xc9/0x260
> [   45.141520]  ? refcount_warn_saturate+0x120/0x190
> [   45.141889]  ? report_bug+0x345/0x400
> [   45.142176]  ? handle_bug+0x3c/0x70
> [   45.142461]  ? exc_invalid_op+0x14/0x40
> [   45.142767]  ? asm_exc_invalid_op+0x16/0x20
> [   45.143101]  ? refcount_warn_saturate+0x120/0x190
> [   45.143474]  kobject_get+0xbd/0xe0
> [   45.143745]  kobject_add_internal+0x9e/0x870
> [   45.144084]  kobject_add+0x120/0x1f0
> [   45.144378]  ? kset_create_and_add+0x160/0x160
> [   45.144732]  ? __kmem_cache_alloc_node+0x1d2/0x350
> [   45.145109]  ? _raw_spin_lock+0x87/0xe0
> [   45.145426]  ? kobject_create_and_add+0x3c/0xb0
> [   45.145787]  kobject_create_and_add+0x68/0xb0
> [   45.146130]  module_add_driver+0x260/0x350
> [   45.146465]  bus_add_driver+0x2c9/0x580
> [   45.146762]  driver_register+0x133/0x460
> [   45.147084]  kunit_run_tests+0xdb/0xef0
> [   45.147404]  ? _raw_spin_lock_irqsave+0x8d/0xe0
> [   45.147754]  ? __sched_text_end+0xa/0xa
> [   45.148056]  ? _raw_spin_unlock_irqrestore+0x42/0x80
> [   45.148456]  ? __kunit_test_suites_exit+0x80/0x80
> [   45.148817]  ? set_track_prepare+0x8a/0xd0
> [   45.149145]  ? get_object+0x70/0x70
> [   45.149425]  ? alloc_inode+0x12a/0x1e0
> [   45.149716]  ? new_inode+0x14/0x230
> [   45.149989]  ? __debugfs_create_file+0xc8/0x5d0
> [   45.150347]  ? __kunit_test_suites_init+0x73/0x140
> [   45.150724]  ? kunit_module_notify+0x3ab/0x440
> [   45.151074]  ? notifier_call_chain+0xbf/0x280
> [   45.151420]  ? _raw_spin_lock_irqsave+0x8d/0xe0
> [   45.151772]  ? __sched_text_end+0xa/0xa
> [   45.152079]  ? projid_m_show+0x200/0x200
> [   45.152403]  ? kasan_set_track+0x21/0x30
> [   45.152712]  ? _raw_spin_lock+0x87/0xe0
> [   45.153010]  ? _raw_spin_lock_bh+0xe0/0xe0
> [   45.153333]  ? _raw_spin_lock+0x87/0xe0
> [   45.153635]  ? __d_instantiate+0x1d5/0x3b0
> [   45.153953]  ? alloc_inode+0x72/0x1e0
> [   45.154235]  ? up_write+0x6d/0xa0
> [   45.154509]  ? __debugfs_create_file+0x3b5/0x5d0
> [   45.154869]  __kunit_test_suites_init+0xde/0x140
> [   45.155222]  kunit_module_notify+0x3ab/0x440
> [   45.155560]  ? __kunit_test_suites_init+0x140/0x140
> [   45.155938]  ? preempt_count_add+0x79/0x150
> [   45.156259]  notifier_call_chain+0xbf/0x280
> [   45.156591]  ? kasan_quarantine_put+0x21/0x1a0
> [   45.156937]  blocking_notifier_call_chain_robust+0xbb/0x140
> [   45.157371]  ? notifier_call_chain+0x280/0x280
> [   45.157713]  ? 0xffffffffa0208000
> [   45.157967]  load_module+0x4af0/0x67d0
> [   45.158255]  ? module_frob_arch_sections+0x20/0x20
> [   45.158630]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
> [   45.159025]  ? kernel_read_file+0x3ca/0x510
> [   45.159353]  ? __x64_sys_fspick+0x2a0/0x2a0
> [   45.159673]  ? init_module_from_file+0xd2/0x130
> [   45.160014]  init_module_from_file+0xd2/0x130
> [   45.160356]  ? __ia32_sys_init_module+0xa0/0xa0
> [   45.160702]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
> [   45.161058]  ? _raw_spin_lock_bh+0xe0/0xe0
> [   45.161386]  idempotent_init_module+0x339/0x610
> [   45.161727]  ? init_module_from_file+0x130/0x130
> [   45.162081]  ? __fget_light+0x57/0x500
> [   45.162378]  __x64_sys_finit_module+0xba/0x130
> [   45.162720]  do_syscall_64+0x35/0x80
> [   45.162989]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
> [   45.163380] RIP: 0033:0x7fabf471b839
> [   45.163655] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
> 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
> [   45.165049] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
> 0000000000000139
> [   45.165627] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
> 00007fabf471b839
> [   45.166168] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
> 0000000000000003
> [   45.166733] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
> 000055578e373210
> [   45.167297] R10: 0000000000000003 R11: 0000000000000246 R12:
> 0000000000000000
> [   45.167847] R13: 000055578e370f30 R14: 0000000000040000 R15:
> 000055578e370e10
> [   45.168404]  </TASK>
> [   45.168579] ---[ end trace 0000000000000000 ]---
> [   45.168952] general protection fault, probably for non-canonical
> address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
> [   45.169771] KASAN: null-ptr-deref in range
> [0x0000000000000018-0x000000000000001f]
> [   45.170336] CPU: 1 PID: 1862 Comm: modprobe Tainted: G        W
>  N 6.6.0-rc3+ #54
> [   45.170935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.15.0-1 04/01/2014
> [   45.171562] RIP: 0010:kobject_namespace+0x71/0x150
> [   45.171933] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cd 00 00 00 48
> b8 00 00 00 00 00 fc ff df 49 8b 5c 24 28 48 8d 7b 18 48 89 fa 48 c1 ea
> 03 <80> 3c 02 00 0f 85 c1 00 00 00 48 8b 43 18 48 85 c0 74 79 4c 89 e7
> [   45.173324] RSP: 0018:ffff8881062f7288 EFLAGS: 00010206
> [   45.173716] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
> 0000000000000000
> [   45.174245] RDX: 0000000000000003 RSI: ffffffff847b4d40 RDI:
> 0000000000000018
> [   45.174777] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
> ffffed1020c5ee0f
> [   45.175317] R10: ffff8881062f707f R11: 746e756f63666572 R12:
> ffffffffa02121d0
> [   45.175847] R13: ffff888101b6d858 R14: ffff888101b6d868 R15:
> ffffffff84ac7020
> [   45.176377] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
> knlGS:0000000000000000
> [   45.176977] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   45.177413] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
> 0000000000770ee0
> [   45.177946] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [   45.178479] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [   45.179016] PKRU: 55555554
> [   45.179227] Call Trace:
> [   45.179418]  <TASK>
> [   45.179584]  ? die_addr+0x3d/0xa0
> [   45.179843]  ? exc_general_protection+0x144/0x220
> [   45.180202]  ? asm_exc_general_protection+0x22/0x30
> [   45.180570]  ? kobject_namespace+0x71/0x150
> [   45.180886]  kobject_add_internal+0x267/0x870
> [   45.181221]  kobject_add+0x120/0x1f0
> [   45.181497]  ? kset_create_and_add+0x160/0x160
> [   45.181828]  ? __kmem_cache_alloc_node+0x1d2/0x350
> [   45.182188]  ? _raw_spin_lock+0x87/0xe0
> [   45.182480]  ? kobject_create_and_add+0x3c/0xb0
> [   45.182822]  kobject_create_and_add+0x68/0xb0
> [   45.183159]  module_add_driver+0x260/0x350
> [   45.183472]  bus_add_driver+0x2c9/0x580
> [   45.183764]  driver_register+0x133/0x460
> [   45.184061]  kunit_run_tests+0xdb/0xef0
> [   45.184354]  ? _raw_spin_lock_irqsave+0x8d/0xe0
> [   45.184700]  ? __sched_text_end+0xa/0xa
> [   45.184993]  ? _raw_spin_unlock_irqrestore+0x42/0x80
> [   45.185365]  ? __kunit_test_suites_exit+0x80/0x80
> [   45.185718]  ? set_track_prepare+0x8a/0xd0
> [   45.186027]  ? get_object+0x70/0x70
> [   45.186296]  ? alloc_inode+0x12a/0x1e0
> [   45.186578]  ? new_inode+0x14/0x230
> [   45.186848]  ? __debugfs_create_file+0xc8/0x5d0
> [   45.187199]  ? __kunit_test_suites_init+0x73/0x140
> [   45.187563]  ? kunit_module_notify+0x3ab/0x440
> [   45.187905]  ? notifier_call_chain+0xbf/0x280
> [   45.188232]  ? _raw_spin_lock_irqsave+0x8d/0xe0
> [   45.188574]  ? __sched_text_end+0xa/0xa
> [   45.188862]  ? projid_m_show+0x200/0x200
> [   45.189158]  ? kasan_set_track+0x21/0x30
> [   45.189457]  ? _raw_spin_lock+0x87/0xe0
> [   45.189747]  ? _raw_spin_lock_bh+0xe0/0xe0
> [   45.190054]  ? _raw_spin_lock+0x87/0xe0
> [   45.190345]  ? __d_instantiate+0x1d5/0x3b0
> [   45.190657]  ? alloc_inode+0x72/0x1e0
> [   45.190935]  ? up_write+0x6d/0xa0
> [   45.191191]  ? __debugfs_create_file+0x3b5/0x5d0
> [   45.191545]  __kunit_test_suites_init+0xde/0x140
> [   45.191904]  kunit_module_notify+0x3ab/0x440
> [   45.192226]  ? __kunit_test_suites_init+0x140/0x140
> [   45.192601]  ? preempt_count_add+0x79/0x150
> [   45.192927]  notifier_call_chain+0xbf/0x280
> [   45.193244]  ? kasan_quarantine_put+0x21/0x1a0
> [   45.193586]  blocking_notifier_call_chain_robust+0xbb/0x140
> [   45.194015]  ? notifier_call_chain+0x280/0x280
> [   45.194360]  ? 0xffffffffa0208000
> [   45.194614]  load_module+0x4af0/0x67d0
> [   45.194909]  ? module_frob_arch_sections+0x20/0x20
> [   45.195274]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
> [   45.195672]  ? kernel_read_file+0x3ca/0x510
> [   45.195997]  ? __x64_sys_fspick+0x2a0/0x2a0
> [   45.196319]  ? init_module_from_file+0xd2/0x130
> [   45.196675]  init_module_from_file+0xd2/0x130
> [   45.197006]  ? __ia32_sys_init_module+0xa0/0xa0
> [   45.197352]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
> [   45.197724]  ? _raw_spin_lock_bh+0xe0/0xe0
> [   45.198044]  idempotent_init_module+0x339/0x610
> [   45.198392]  ? init_module_from_file+0x130/0x130
> [   45.198748]  ? __fget_light+0x57/0x500
> [   45.199043]  __x64_sys_finit_module+0xba/0x130
> [   45.199389]  do_syscall_64+0x35/0x80
> [   45.199664]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
> [   45.200050] RIP: 0033:0x7fabf471b839
> [   45.200325] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
> 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
> [   45.201713] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
> 0000000000000139
> [   45.202278] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
> 00007fabf471b839
> [   45.202816] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
> 0000000000000003
> [   45.203348] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
> 000055578e373210
> [   45.203886] R10: 0000000000000003 R11: 0000000000000246 R12:
> 0000000000000000
> [   45.204426] R13: 000055578e370f30 R14: 0000000000040000 R15:
> 000055578e370e10
> [   45.204962]  </TASK>
> [   45.205140] Modules linked in: fpga_mgr_test(+)
> [   45.205500] Dumping ftrace buffer:
> [   45.205768]    (ftrace buffer empty)
> [   45.206066] ---[ end trace 0000000000000000 ]---
> [   45.206477] RIP: 0010:kobject_namespace+0x71/0x150
> [   45.206850] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cd 00 00 00 48
> b8 00 00 00 00 00 fc ff df 49 8b 5c 24 28 48 8d 7b 18 48 89 fa 48 c1 ea
> 03 <80> 3c 02 00 0f 85 c1 00 00 00 48 8b 43 18 48 85 c0 74 79 4c 89 e7
> [   45.208501] RSP: 0018:ffff8881062f7288 EFLAGS: 00010206
> [   45.209015] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
> 0000000000000000
> [   45.209708] RDX: 0000000000000003 RSI: ffffffff847b4d40 RDI:
> 0000000000000018
> [   45.210473] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
> ffffed1020c5ee0f
> [   45.211142] R10: ffff8881062f707f R11: 746e756f63666572 R12:
> ffffffffa02121d0
> [   45.211898] R13: ffff888101b6d858 R14: ffff888101b6d868 R15:
> ffffffff84ac7020
> [   45.212653] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
> knlGS:0000000000000000
> [   45.213441] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   45.213970] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
> 0000000000770ee0
> [   45.214716] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [   45.215424] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [   45.216089] PKRU: 55555554
> [   45.216440] Kernel panic - not syncing: Fatal exception
> [   45.217935] Dumping ftrace buffer:
> [   45.218195]    (ftrace buffer empty)
> [   45.218473] Kernel Offset: disabled
> [   45.218740] Rebooting in 1 seconds..
> 
>> +}
>> +
>> +static void fpga_mgr_test_suite_exit(struct kunit_suite *suite)
>> +{
>> +	platform_driver_unregister(&test_platform_driver);
>> +}
>> +
>>  static int fpga_mgr_test_init(struct kunit *test)
>>  {
>>  	struct mgr_ctx *ctx;
>> @@ -284,7 +298,7 @@ static int fpga_mgr_test_init(struct kunit *test)
>>  	ctx = kunit_kzalloc(test, sizeof(*ctx), GFP_KERNEL);
>>  	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx);
>>  
>> -	ctx->pdev = platform_device_register_simple("mgr_pdev", PLATFORM_DEVID_AUTO, NULL, 0);
>> +	ctx->pdev = platform_device_register_simple(TEST_PDEV_NAME, PLATFORM_DEVID_AUTO, NULL, 0);
>>  	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx->pdev);
>>  
>>  	ctx->mgr = devm_fpga_mgr_register(&ctx->pdev->dev, "Fake FPGA Manager", &fake_mgr_ops,
>> @@ -317,6 +331,8 @@ static struct kunit_case fpga_mgr_test_cases[] = {
>>  
>>  static struct kunit_suite fpga_mgr_suite = {
>>  	.name = "fpga_mgr",
>> +	.suite_init = fpga_mgr_test_suite_init,
>> +	.suite_exit = fpga_mgr_test_suite_exit,
>>  	.init = fpga_mgr_test_init,
>>  	.exit = fpga_mgr_test_exit,
>>  	.test_cases = fpga_mgr_test_cases,
>
  
Jinjie Ruan Sept. 28, 2023, 3:41 a.m. UTC | #3
On 2023/9/28 0:56, Marco Pagani wrote:
> 
> 
> On 2023-09-27 04:55, Ruan Jinjie wrote:
>>
>>
>> On 2023/9/27 0:39, Marco Pagani wrote:
>>> Register a minimal platform driver associated with the parent platform
>>> device used for testing to prevent a null-ptr-deref when try_module_get()
>>> is called by fpga_mgr_get().
>>>
>>> Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager")
>>> Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
>>> Signed-off-by: Marco Pagani <marpagan@redhat.com>
>>> ---
>>>  drivers/fpga/tests/fpga-mgr-test.c | 18 +++++++++++++++++-
>>>  1 file changed, 17 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/fpga/tests/fpga-mgr-test.c b/drivers/fpga/tests/fpga-mgr-test.c
>>> index 6acec55b60ce..30de474d7def 100644
>>> --- a/drivers/fpga/tests/fpga-mgr-test.c
>>> +++ b/drivers/fpga/tests/fpga-mgr-test.c
>>> @@ -14,6 +14,8 @@
>>>  #include <linux/scatterlist.h>
>>>  #include <linux/types.h>
>>>  
>>> +#include "fpga-test-helpers.h"
>>> +
>>>  #define HEADER_FILL		'H'
>>>  #define IMAGE_FILL		'P'
>>>  #define IMAGE_BLOCK		1024
>>> @@ -277,6 +279,18 @@ static void fpga_mgr_test_img_load_sgt(struct kunit *test)
>>>  	sg_free_table(ctx->img_info->sgt);
>>>  }
>>>  
>>> +TEST_PLATFORM_DRIVER(test_platform_driver);
>>> +
>>> +static int fpga_mgr_test_suite_init(struct kunit_suite *suite)
>>> +{
>>> +	return platform_driver_register(&test_platform_driver);
>>
>> modprobe fpga-mgr-test and there is still a null-ptr-deref.
> 
> 
> These issues appear to be caused by your commit 2810c1e99867 ("kunit: Fix
> wild-memory-access bug in kunit_free_suite_set()") that causes all test
> suites to run while modules are still in MODULE_STATE_COMING. In that
> state, modules are not yet fully initialized lacking sysfs' kobjects
> and hence causing module_add_driver() to fail.

Right! it is the commit's issue.

> 
> You can test it by running the FPGA suites on a kernel before commit
> 2810c1e99867. I sent an RFC patch to restore the normal execution
> flow and use the refcount to avoid calling kunit_free_suite_set() if
> load_module() fails.

I have a more elegant way to fix it, which split the init func into 2
parts and use the return error code to avoid check whether free is
empty. I'll send it sooner.

> 
> Thanks,
> Marco
> 
> 
>>
>> root@syzkaller:~# modprobe fpga-mgr-test
>> [   45.088127] KTAP version 1
>> [   45.088354] 1..1
>> [   45.089520] ------------[ cut here ]------------
>> [   45.089861] kobject: '(null)' (ffffffffa02121d0): is not initialized,
>> yet kobject_get() is being called.
>> [   45.090608] WARNING: CPU: 1 PID: 1862 at lib/kobject.c:637
>> kobject_get+0x98/0xe0
>> [   45.091209] Modules linked in: fpga_mgr_test(+)
>> [   45.091581] CPU: 1 PID: 1862 Comm: modprobe Tainted: G
>>  N 6.6.0-rc3+ #54
>> [   45.092201] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
>> BIOS 1.15.0-1 04/01/2014
>> [   45.092870] RIP: 0010:kobject_get+0x98/0xe0
>> [   45.093200] Code: 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03
>> 80 3c 02 00 75 44 49 8b 34 24 4c 89 e2 48 c7 c7 20 63 ac 84 e8 38 fe 24
>> fd <0f> 0b eb a2 48 89 ef be 01 00 00 00 e8 d7 de a4 fe 4c 89 e0 5d 41
>> [   45.094653] RSP: 0018:ffff8881062f7298 EFLAGS: 00010286
>> [   45.095086] RAX: 0000000000000000 RBX: ffffffff848a3660 RCX:
>> 0000000000000000
>> [   45.095649] RDX: 0000000000000002 RSI: ffffffff847b4d40 RDI:
>> 0000000000000001
>> [   45.096205] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
>> ffffed1020c5ee12
>> [   45.096761] R10: ffff8881062f7097 R11: 3a7463656a626f6b R12:
>> ffffffffa02121d0
>> [   45.097315] R13: ffff888101b6d858 R14: ffffffffa02121d0 R15:
>> ffff88810661aca0
>> [   45.097863] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
>> knlGS:0000000000000000
>> [   45.098485] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   45.098933] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
>> 0000000000770ee0
>> [   45.099497] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [   45.100054] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
>> 0000000000000400
>> [   45.100615] PKRU: 55555554
>> [   45.100833] Call Trace:
>> [   45.101034]  <TASK>
>> [   45.101206]  ? __warn+0xc9/0x260
>> [   45.101480]  ? irq_work_queue+0x35/0x50
>> [   45.101786]  ? kobject_get+0x98/0xe0
>> [   45.102073]  ? report_bug+0x345/0x400
>> [   45.102377]  ? handle_bug+0x3c/0x70
>> [   45.102661]  ? exc_invalid_op+0x14/0x40
>> [   45.102968]  ? asm_exc_invalid_op+0x16/0x20
>> [   45.103317]  ? kobject_get+0x98/0xe0
>> [   45.103604]  ? kobject_get+0x98/0xe0
>> [   45.103892]  kobject_add_internal+0x9e/0x870
>> [   45.104235]  kobject_add+0x120/0x1f0
>> [   45.104535]  ? kset_create_and_add+0x160/0x160
>> [   45.104892]  ? __kmem_cache_alloc_node+0x1d2/0x350
>> [   45.105269]  ? _raw_spin_lock+0x87/0xe0
>> [   45.105586]  ? kobject_create_and_add+0x3c/0xb0
>> [   45.105948]  kobject_create_and_add+0x68/0xb0
>> [   45.106303]  module_add_driver+0x260/0x350
>> [   45.106635]  bus_add_driver+0x2c9/0x580
>> [   45.106941]  driver_register+0x133/0x460
>> [   45.107284]  kunit_run_tests+0xdb/0xef0
>> [   45.107599]  ? _raw_spin_lock_irqsave+0x8d/0xe0
>> [   45.107962]  ? __sched_text_end+0xa/0xa
>> [   45.108284]  ? _raw_spin_unlock_irqrestore+0x42/0x80
>> [   45.108675]  ? __kunit_test_suites_exit+0x80/0x80
>> [   45.109045]  ? set_track_prepare+0x8a/0xd0
>> [   45.109380]  ? get_object+0x70/0x70
>> [   45.109658]  ? alloc_inode+0x12a/0x1e0
>> [   45.109960]  ? new_inode+0x14/0x230
>> [   45.110238]  ? __debugfs_create_file+0xc8/0x5d0
>> [   45.110607]  ? __kunit_test_suites_init+0x73/0x140
>> [   45.110982]  ? kunit_module_notify+0x3ab/0x440
>> [   45.111341]  ? notifier_call_chain+0xbf/0x280
>> [   45.111688]  ? _raw_spin_lock_irqsave+0x8d/0xe0
>> [   45.112045]  ? __sched_text_end+0xa/0xa
>> [   45.112362]  ? projid_m_show+0x200/0x200
>> [   45.112671]  ? kasan_set_track+0x21/0x30
>> [   45.112974]  ? _raw_spin_lock+0x87/0xe0
>> [   45.113290]  ? _raw_spin_lock_bh+0xe0/0xe0
>> [   45.113615]  ? _raw_spin_lock+0x87/0xe0
>> [   45.113914]  ? __d_instantiate+0x1d5/0x3b0
>> [   45.114232]  ? alloc_inode+0x72/0x1e0
>> [   45.114535]  ? up_write+0x6d/0xa0
>> [   45.114803]  ? __debugfs_create_file+0x3b5/0x5d0
>> [   45.115180]  __kunit_test_suites_init+0xde/0x140
>> [   45.115557]  kunit_module_notify+0x3ab/0x440
>> [   45.115895]  ? __kunit_test_suites_init+0x140/0x140
>> [   45.116287]  ? preempt_count_add+0x79/0x150
>> [   45.116623]  notifier_call_chain+0xbf/0x280
>> [   45.116953]  ? kasan_quarantine_put+0x21/0x1a0
>> [   45.117311]  blocking_notifier_call_chain_robust+0xbb/0x140
>> [   45.117747]  ? notifier_call_chain+0x280/0x280
>> [   45.118097]  ? 0xffffffffa0208000
>> [   45.118372]  load_module+0x4af0/0x67d0
>> [   45.118671]  ? module_frob_arch_sections+0x20/0x20
>> [   45.119057]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
>> [   45.119476]  ? kernel_read_file+0x3ca/0x510
>> [   45.119807]  ? __x64_sys_fspick+0x2a0/0x2a0
>> [   45.120134]  ? init_module_from_file+0xd2/0x130
>> [   45.120499]  init_module_from_file+0xd2/0x130
>> [   45.120843]  ? __ia32_sys_init_module+0xa0/0xa0
>> [   45.121203]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
>> [   45.121589]  ? _raw_spin_lock_bh+0xe0/0xe0
>> [   45.121916]  idempotent_init_module+0x339/0x610
>> [   45.122286]  ? init_module_from_file+0x130/0x130
>> [   45.122648]  ? __fget_light+0x57/0x500
>> [   45.122950]  __x64_sys_finit_module+0xba/0x130
>> [   45.123323]  do_syscall_64+0x35/0x80
>> [   45.123607]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
>> [   45.124001] RIP: 0033:0x7fabf471b839
>> [   45.124303] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
>> 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
>> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
>> [   45.125754] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
>> 0000000000000139
>> [   45.126359] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
>> 00007fabf471b839
>> [   45.126921] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
>> 0000000000000003
>> [   45.127505] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
>> 000055578e373210
>> [   45.128057] R10: 0000000000000003 R11: 0000000000000246 R12:
>> 0000000000000000
>> [   45.128621] R13: 000055578e370f30 R14: 0000000000040000 R15:
>> 000055578e370e10
>> [   45.129183]  </TASK>
>> [   45.129376] ---[ end trace 0000000000000000 ]---
>> [   45.129744] ------------[ cut here ]------------
>> [   45.130109] refcount_t: addition on 0; use-after-free.
>> [   45.130555] WARNING: CPU: 1 PID: 1862 at lib/refcount.c:25
>> refcount_warn_saturate+0x120/0x190
>> [   45.131214] Modules linked in: fpga_mgr_test(+)
>> [   45.131588] CPU: 1 PID: 1862 Comm: modprobe Tainted: G        W
>>  N 6.6.0-rc3+ #54
>> [   45.132205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
>> BIOS 1.15.0-1 04/01/2014
>> [   45.132854] RIP: 0010:refcount_warn_saturate+0x120/0x190
>> [   45.133262] Code: 1d bc 3f 40 0a 80 fb 01 0f 87 5a f8 67 01 83 e3 01
>> 0f 85 5d ff ff ff 48 c7 c7 e0 99 7a 84 c6 05 9c 3f 40 0a 01 e8 30 1e 80
>> fe <0f> 0b e9 43 ff ff ff 0f b6 1d 86 3f 40 0a 80 fb 01 0f 87 4f f8 67
>> [   45.134712] RSP: 0018:ffff8881062f7280 EFLAGS: 00010286
>> [   45.135138] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
>> 0000000000000000
>> [   45.135698] RDX: 0000000000000002 RSI: ffffffff847b4d40 RDI:
>> 0000000000000001
>> [   45.136244] RBP: 0000000000000002 R08: 0000000000000001 R09:
>> ffffed1020c5ee0f
>> [   45.136804] R10: ffff8881062f707f R11: 746e756f63666572 R12:
>> ffffffffa02121d0
>> [   45.137367] R13: ffff888101b6d858 R14: ffffffffa02121d0 R15:
>> ffff88810661aca0
>> [   45.137919] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
>> knlGS:0000000000000000
>> [   45.138551] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   45.139007] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
>> 0000000000770ee0
>> [   45.139566] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [   45.140116] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
>> 0000000000000400
>> [   45.140669] PKRU: 55555554
>> [   45.140882] Call Trace:
>> [   45.141084]  <TASK>
>> [   45.141254]  ? __warn+0xc9/0x260
>> [   45.141520]  ? refcount_warn_saturate+0x120/0x190
>> [   45.141889]  ? report_bug+0x345/0x400
>> [   45.142176]  ? handle_bug+0x3c/0x70
>> [   45.142461]  ? exc_invalid_op+0x14/0x40
>> [   45.142767]  ? asm_exc_invalid_op+0x16/0x20
>> [   45.143101]  ? refcount_warn_saturate+0x120/0x190
>> [   45.143474]  kobject_get+0xbd/0xe0
>> [   45.143745]  kobject_add_internal+0x9e/0x870
>> [   45.144084]  kobject_add+0x120/0x1f0
>> [   45.144378]  ? kset_create_and_add+0x160/0x160
>> [   45.144732]  ? __kmem_cache_alloc_node+0x1d2/0x350
>> [   45.145109]  ? _raw_spin_lock+0x87/0xe0
>> [   45.145426]  ? kobject_create_and_add+0x3c/0xb0
>> [   45.145787]  kobject_create_and_add+0x68/0xb0
>> [   45.146130]  module_add_driver+0x260/0x350
>> [   45.146465]  bus_add_driver+0x2c9/0x580
>> [   45.146762]  driver_register+0x133/0x460
>> [   45.147084]  kunit_run_tests+0xdb/0xef0
>> [   45.147404]  ? _raw_spin_lock_irqsave+0x8d/0xe0
>> [   45.147754]  ? __sched_text_end+0xa/0xa
>> [   45.148056]  ? _raw_spin_unlock_irqrestore+0x42/0x80
>> [   45.148456]  ? __kunit_test_suites_exit+0x80/0x80
>> [   45.148817]  ? set_track_prepare+0x8a/0xd0
>> [   45.149145]  ? get_object+0x70/0x70
>> [   45.149425]  ? alloc_inode+0x12a/0x1e0
>> [   45.149716]  ? new_inode+0x14/0x230
>> [   45.149989]  ? __debugfs_create_file+0xc8/0x5d0
>> [   45.150347]  ? __kunit_test_suites_init+0x73/0x140
>> [   45.150724]  ? kunit_module_notify+0x3ab/0x440
>> [   45.151074]  ? notifier_call_chain+0xbf/0x280
>> [   45.151420]  ? _raw_spin_lock_irqsave+0x8d/0xe0
>> [   45.151772]  ? __sched_text_end+0xa/0xa
>> [   45.152079]  ? projid_m_show+0x200/0x200
>> [   45.152403]  ? kasan_set_track+0x21/0x30
>> [   45.152712]  ? _raw_spin_lock+0x87/0xe0
>> [   45.153010]  ? _raw_spin_lock_bh+0xe0/0xe0
>> [   45.153333]  ? _raw_spin_lock+0x87/0xe0
>> [   45.153635]  ? __d_instantiate+0x1d5/0x3b0
>> [   45.153953]  ? alloc_inode+0x72/0x1e0
>> [   45.154235]  ? up_write+0x6d/0xa0
>> [   45.154509]  ? __debugfs_create_file+0x3b5/0x5d0
>> [   45.154869]  __kunit_test_suites_init+0xde/0x140
>> [   45.155222]  kunit_module_notify+0x3ab/0x440
>> [   45.155560]  ? __kunit_test_suites_init+0x140/0x140
>> [   45.155938]  ? preempt_count_add+0x79/0x150
>> [   45.156259]  notifier_call_chain+0xbf/0x280
>> [   45.156591]  ? kasan_quarantine_put+0x21/0x1a0
>> [   45.156937]  blocking_notifier_call_chain_robust+0xbb/0x140
>> [   45.157371]  ? notifier_call_chain+0x280/0x280
>> [   45.157713]  ? 0xffffffffa0208000
>> [   45.157967]  load_module+0x4af0/0x67d0
>> [   45.158255]  ? module_frob_arch_sections+0x20/0x20
>> [   45.158630]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
>> [   45.159025]  ? kernel_read_file+0x3ca/0x510
>> [   45.159353]  ? __x64_sys_fspick+0x2a0/0x2a0
>> [   45.159673]  ? init_module_from_file+0xd2/0x130
>> [   45.160014]  init_module_from_file+0xd2/0x130
>> [   45.160356]  ? __ia32_sys_init_module+0xa0/0xa0
>> [   45.160702]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
>> [   45.161058]  ? _raw_spin_lock_bh+0xe0/0xe0
>> [   45.161386]  idempotent_init_module+0x339/0x610
>> [   45.161727]  ? init_module_from_file+0x130/0x130
>> [   45.162081]  ? __fget_light+0x57/0x500
>> [   45.162378]  __x64_sys_finit_module+0xba/0x130
>> [   45.162720]  do_syscall_64+0x35/0x80
>> [   45.162989]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
>> [   45.163380] RIP: 0033:0x7fabf471b839
>> [   45.163655] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
>> 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
>> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
>> [   45.165049] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
>> 0000000000000139
>> [   45.165627] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
>> 00007fabf471b839
>> [   45.166168] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
>> 0000000000000003
>> [   45.166733] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
>> 000055578e373210
>> [   45.167297] R10: 0000000000000003 R11: 0000000000000246 R12:
>> 0000000000000000
>> [   45.167847] R13: 000055578e370f30 R14: 0000000000040000 R15:
>> 000055578e370e10
>> [   45.168404]  </TASK>
>> [   45.168579] ---[ end trace 0000000000000000 ]---
>> [   45.168952] general protection fault, probably for non-canonical
>> address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
>> [   45.169771] KASAN: null-ptr-deref in range
>> [0x0000000000000018-0x000000000000001f]
>> [   45.170336] CPU: 1 PID: 1862 Comm: modprobe Tainted: G        W
>>  N 6.6.0-rc3+ #54
>> [   45.170935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
>> BIOS 1.15.0-1 04/01/2014
>> [   45.171562] RIP: 0010:kobject_namespace+0x71/0x150
>> [   45.171933] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cd 00 00 00 48
>> b8 00 00 00 00 00 fc ff df 49 8b 5c 24 28 48 8d 7b 18 48 89 fa 48 c1 ea
>> 03 <80> 3c 02 00 0f 85 c1 00 00 00 48 8b 43 18 48 85 c0 74 79 4c 89 e7
>> [   45.173324] RSP: 0018:ffff8881062f7288 EFLAGS: 00010206
>> [   45.173716] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
>> 0000000000000000
>> [   45.174245] RDX: 0000000000000003 RSI: ffffffff847b4d40 RDI:
>> 0000000000000018
>> [   45.174777] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
>> ffffed1020c5ee0f
>> [   45.175317] R10: ffff8881062f707f R11: 746e756f63666572 R12:
>> ffffffffa02121d0
>> [   45.175847] R13: ffff888101b6d858 R14: ffff888101b6d868 R15:
>> ffffffff84ac7020
>> [   45.176377] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
>> knlGS:0000000000000000
>> [   45.176977] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   45.177413] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
>> 0000000000770ee0
>> [   45.177946] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [   45.178479] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
>> 0000000000000400
>> [   45.179016] PKRU: 55555554
>> [   45.179227] Call Trace:
>> [   45.179418]  <TASK>
>> [   45.179584]  ? die_addr+0x3d/0xa0
>> [   45.179843]  ? exc_general_protection+0x144/0x220
>> [   45.180202]  ? asm_exc_general_protection+0x22/0x30
>> [   45.180570]  ? kobject_namespace+0x71/0x150
>> [   45.180886]  kobject_add_internal+0x267/0x870
>> [   45.181221]  kobject_add+0x120/0x1f0
>> [   45.181497]  ? kset_create_and_add+0x160/0x160
>> [   45.181828]  ? __kmem_cache_alloc_node+0x1d2/0x350
>> [   45.182188]  ? _raw_spin_lock+0x87/0xe0
>> [   45.182480]  ? kobject_create_and_add+0x3c/0xb0
>> [   45.182822]  kobject_create_and_add+0x68/0xb0
>> [   45.183159]  module_add_driver+0x260/0x350
>> [   45.183472]  bus_add_driver+0x2c9/0x580
>> [   45.183764]  driver_register+0x133/0x460
>> [   45.184061]  kunit_run_tests+0xdb/0xef0
>> [   45.184354]  ? _raw_spin_lock_irqsave+0x8d/0xe0
>> [   45.184700]  ? __sched_text_end+0xa/0xa
>> [   45.184993]  ? _raw_spin_unlock_irqrestore+0x42/0x80
>> [   45.185365]  ? __kunit_test_suites_exit+0x80/0x80
>> [   45.185718]  ? set_track_prepare+0x8a/0xd0
>> [   45.186027]  ? get_object+0x70/0x70
>> [   45.186296]  ? alloc_inode+0x12a/0x1e0
>> [   45.186578]  ? new_inode+0x14/0x230
>> [   45.186848]  ? __debugfs_create_file+0xc8/0x5d0
>> [   45.187199]  ? __kunit_test_suites_init+0x73/0x140
>> [   45.187563]  ? kunit_module_notify+0x3ab/0x440
>> [   45.187905]  ? notifier_call_chain+0xbf/0x280
>> [   45.188232]  ? _raw_spin_lock_irqsave+0x8d/0xe0
>> [   45.188574]  ? __sched_text_end+0xa/0xa
>> [   45.188862]  ? projid_m_show+0x200/0x200
>> [   45.189158]  ? kasan_set_track+0x21/0x30
>> [   45.189457]  ? _raw_spin_lock+0x87/0xe0
>> [   45.189747]  ? _raw_spin_lock_bh+0xe0/0xe0
>> [   45.190054]  ? _raw_spin_lock+0x87/0xe0
>> [   45.190345]  ? __d_instantiate+0x1d5/0x3b0
>> [   45.190657]  ? alloc_inode+0x72/0x1e0
>> [   45.190935]  ? up_write+0x6d/0xa0
>> [   45.191191]  ? __debugfs_create_file+0x3b5/0x5d0
>> [   45.191545]  __kunit_test_suites_init+0xde/0x140
>> [   45.191904]  kunit_module_notify+0x3ab/0x440
>> [   45.192226]  ? __kunit_test_suites_init+0x140/0x140
>> [   45.192601]  ? preempt_count_add+0x79/0x150
>> [   45.192927]  notifier_call_chain+0xbf/0x280
>> [   45.193244]  ? kasan_quarantine_put+0x21/0x1a0
>> [   45.193586]  blocking_notifier_call_chain_robust+0xbb/0x140
>> [   45.194015]  ? notifier_call_chain+0x280/0x280
>> [   45.194360]  ? 0xffffffffa0208000
>> [   45.194614]  load_module+0x4af0/0x67d0
>> [   45.194909]  ? module_frob_arch_sections+0x20/0x20
>> [   45.195274]  ? rwsem_down_write_slowpath+0x11a0/0x11a0
>> [   45.195672]  ? kernel_read_file+0x3ca/0x510
>> [   45.195997]  ? __x64_sys_fspick+0x2a0/0x2a0
>> [   45.196319]  ? init_module_from_file+0xd2/0x130
>> [   45.196675]  init_module_from_file+0xd2/0x130
>> [   45.197006]  ? __ia32_sys_init_module+0xa0/0xa0
>> [   45.197352]  ? userfaultfd_unmap_prep+0x3d0/0x3d0
>> [   45.197724]  ? _raw_spin_lock_bh+0xe0/0xe0
>> [   45.198044]  idempotent_init_module+0x339/0x610
>> [   45.198392]  ? init_module_from_file+0x130/0x130
>> [   45.198748]  ? __fget_light+0x57/0x500
>> [   45.199043]  __x64_sys_finit_module+0xba/0x130
>> [   45.199389]  do_syscall_64+0x35/0x80
>> [   45.199664]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
>> [   45.200050] RIP: 0033:0x7fabf471b839
>> [   45.200325] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
>> 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
>> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
>> [   45.201713] RSP: 002b:00007ffd1f377128 EFLAGS: 00000246 ORIG_RAX:
>> 0000000000000139
>> [   45.202278] RAX: ffffffffffffffda RBX: 000055578e370e10 RCX:
>> 00007fabf471b839
>> [   45.202816] RDX: 0000000000000000 RSI: 000055578ca1bc2e RDI:
>> 0000000000000003
>> [   45.203348] RBP: 000055578ca1bc2e R08: 0000000000000000 R09:
>> 000055578e373210
>> [   45.203886] R10: 0000000000000003 R11: 0000000000000246 R12:
>> 0000000000000000
>> [   45.204426] R13: 000055578e370f30 R14: 0000000000040000 R15:
>> 000055578e370e10
>> [   45.204962]  </TASK>
>> [   45.205140] Modules linked in: fpga_mgr_test(+)
>> [   45.205500] Dumping ftrace buffer:
>> [   45.205768]    (ftrace buffer empty)
>> [   45.206066] ---[ end trace 0000000000000000 ]---
>> [   45.206477] RIP: 0010:kobject_namespace+0x71/0x150
>> [   45.206850] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cd 00 00 00 48
>> b8 00 00 00 00 00 fc ff df 49 8b 5c 24 28 48 8d 7b 18 48 89 fa 48 c1 ea
>> 03 <80> 3c 02 00 0f 85 c1 00 00 00 48 8b 43 18 48 85 c0 74 79 4c 89 e7
>> [   45.208501] RSP: 0018:ffff8881062f7288 EFLAGS: 00010206
>> [   45.209015] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
>> 0000000000000000
>> [   45.209708] RDX: 0000000000000003 RSI: ffffffff847b4d40 RDI:
>> 0000000000000018
>> [   45.210473] RBP: ffff888101b6d840 R08: 0000000000000001 R09:
>> ffffed1020c5ee0f
>> [   45.211142] R10: ffff8881062f707f R11: 746e756f63666572 R12:
>> ffffffffa02121d0
>> [   45.211898] R13: ffff888101b6d858 R14: ffff888101b6d868 R15:
>> ffffffff84ac7020
>> [   45.212653] FS:  00007fabf4c34540(0000) GS:ffff888119c80000(0000)
>> knlGS:0000000000000000
>> [   45.213441] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   45.213970] CR2: 000055578ca04e20 CR3: 000000010ac0e006 CR4:
>> 0000000000770ee0
>> [   45.214716] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [   45.215424] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
>> 0000000000000400
>> [   45.216089] PKRU: 55555554
>> [   45.216440] Kernel panic - not syncing: Fatal exception
>> [   45.217935] Dumping ftrace buffer:
>> [   45.218195]    (ftrace buffer empty)
>> [   45.218473] Kernel Offset: disabled
>> [   45.218740] Rebooting in 1 seconds..
>>
>>> +}
>>> +
>>> +static void fpga_mgr_test_suite_exit(struct kunit_suite *suite)
>>> +{
>>> +	platform_driver_unregister(&test_platform_driver);
>>> +}
>>> +
>>>  static int fpga_mgr_test_init(struct kunit *test)
>>>  {
>>>  	struct mgr_ctx *ctx;
>>> @@ -284,7 +298,7 @@ static int fpga_mgr_test_init(struct kunit *test)
>>>  	ctx = kunit_kzalloc(test, sizeof(*ctx), GFP_KERNEL);
>>>  	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx);
>>>  
>>> -	ctx->pdev = platform_device_register_simple("mgr_pdev", PLATFORM_DEVID_AUTO, NULL, 0);
>>> +	ctx->pdev = platform_device_register_simple(TEST_PDEV_NAME, PLATFORM_DEVID_AUTO, NULL, 0);
>>>  	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx->pdev);
>>>  
>>>  	ctx->mgr = devm_fpga_mgr_register(&ctx->pdev->dev, "Fake FPGA Manager", &fake_mgr_ops,
>>> @@ -317,6 +331,8 @@ static struct kunit_case fpga_mgr_test_cases[] = {
>>>  
>>>  static struct kunit_suite fpga_mgr_suite = {
>>>  	.name = "fpga_mgr",
>>> +	.suite_init = fpga_mgr_test_suite_init,
>>> +	.suite_exit = fpga_mgr_test_suite_exit,
>>>  	.init = fpga_mgr_test_init,
>>>  	.exit = fpga_mgr_test_exit,
>>>  	.test_cases = fpga_mgr_test_cases,
>>
>
  

Patch

diff --git a/drivers/fpga/tests/fpga-mgr-test.c b/drivers/fpga/tests/fpga-mgr-test.c
index 6acec55b60ce..30de474d7def 100644
--- a/drivers/fpga/tests/fpga-mgr-test.c
+++ b/drivers/fpga/tests/fpga-mgr-test.c
@@ -14,6 +14,8 @@ 
 #include <linux/scatterlist.h>
 #include <linux/types.h>
 
+#include "fpga-test-helpers.h"
+
 #define HEADER_FILL		'H'
 #define IMAGE_FILL		'P'
 #define IMAGE_BLOCK		1024
@@ -277,6 +279,18 @@  static void fpga_mgr_test_img_load_sgt(struct kunit *test)
 	sg_free_table(ctx->img_info->sgt);
 }
 
+TEST_PLATFORM_DRIVER(test_platform_driver);
+
+static int fpga_mgr_test_suite_init(struct kunit_suite *suite)
+{
+	return platform_driver_register(&test_platform_driver);
+}
+
+static void fpga_mgr_test_suite_exit(struct kunit_suite *suite)
+{
+	platform_driver_unregister(&test_platform_driver);
+}
+
 static int fpga_mgr_test_init(struct kunit *test)
 {
 	struct mgr_ctx *ctx;
@@ -284,7 +298,7 @@  static int fpga_mgr_test_init(struct kunit *test)
 	ctx = kunit_kzalloc(test, sizeof(*ctx), GFP_KERNEL);
 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx);
 
-	ctx->pdev = platform_device_register_simple("mgr_pdev", PLATFORM_DEVID_AUTO, NULL, 0);
+	ctx->pdev = platform_device_register_simple(TEST_PDEV_NAME, PLATFORM_DEVID_AUTO, NULL, 0);
 	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ctx->pdev);
 
 	ctx->mgr = devm_fpga_mgr_register(&ctx->pdev->dev, "Fake FPGA Manager", &fake_mgr_ops,
@@ -317,6 +331,8 @@  static struct kunit_case fpga_mgr_test_cases[] = {
 
 static struct kunit_suite fpga_mgr_suite = {
 	.name = "fpga_mgr",
+	.suite_init = fpga_mgr_test_suite_init,
+	.suite_exit = fpga_mgr_test_suite_exit,
 	.init = fpga_mgr_test_init,
 	.exit = fpga_mgr_test_exit,
 	.test_cases = fpga_mgr_test_cases,