Created attachment 697320 [details]
preprocessed file
I am using
gcc-7 (SUSE Linux) 7.0.0 20161007 (experimental)
from
https://build.opensuse.org/project/show/home:marxin:syzkaller
And the kernel does not boot. It is looping and page faulting inside
get_builtin_firmware:
{
#ifdef CONFIG_FW_LOADER
struct builtin_fw *b_fw;
for (b_fw = __start_builtin_fw; b_fw != __end_builtin_fw; b_fw++) {
if (!strcmp(name, b_fw->name)) {
cd->size = b_fw->size;
cd->data = b_fw->data;
return true;
}
}
#endif
return false;
}
But
$ nm vmlinux-4.8.1-* |grep __.*_builtin_fw
ffffffff81ac2158 R __end_builtin_fw
ffffffff81ac2158 R __start_builtin_fw
And sure, the test b_fw != __end_builtin_fw seems to be removed from the code:
ffffffff81049d20 <get_builtin_firmware>:
ffffffff81049d20: e8 fb bb 68 00 callq ffffffff816d5920
<__fentry__>
ffffffff81049d25: 41 54 push %r12
ffffffff81049d27: 49 89 fc mov %rdi,%r12
ffffffff81049d2a: 55 push %rbp
ffffffff81049d2b: 48 89 f5 mov %rsi,%rbp
ffffffff81049d2e: 53 push %rbx
ffffffff81049d2f: 48 c7 c3 58 21 ac 81 mov $0xffffffff81ac2158,%rbx
ffffffff81049d36: eb 04 jmp ffffffff81049d3c
<get_builtin_firmware+0x1c>
ffffffff81049d38: 48 83 c3 18 add $0x18,%rbx
ffffffff81049d3c: 48 8b 33 mov (%rbx),%rsi
ffffffff81049d3f: 48 89 ef mov %rbp,%rdi
ffffffff81049d42: e8 d9 3d 36 00 callq ffffffff813adb20
<strcmp>
ffffffff81049d47: 85 c0 test %eax,%eax
ffffffff81049d49: 75 ed jne ffffffff81049d38
<get_builtin_firmware+0x18>
ffffffff81049d4b: 48 8b 43 10 mov 0x10(%rbx),%rax
ffffffff81049d4f: 49 89 44 24 08 mov %rax,0x8(%r12)
ffffffff81049d54: 48 8b 43 08 mov 0x8(%rbx),%rax
ffffffff81049d58: 5b pop %rbx
ffffffff81049d59: 5d pop %rbp
ffffffff81049d5a: 49 89 04 24 mov %rax,(%r12)
ffffffff81049d5e: b8 01 00 00 00 mov $0x1,%eax
ffffffff81049d63: 41 5c pop %r12
ffffffff81049d65: c3 retq
ffffffff81049d66: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
ffffffff81049d6d: 00 00 00
gcc-6 produces this (chopped):
ffffffff81ac2230 R __end_builtin_fw
ffffffff81ac2230 R __start_builtin_fw
and
ffffffff81049e39: 48 c7 c3 30 22 ac 81 mov $0xffffffff81ac2230,%rbx
ffffffff81049e40: 48 81 fb 30 22 ac 81 cmp $0xffffffff81ac2230,%rbx
ffffffff81049e47: 74 3f je ffffffff81049e88
<get_builtin_firmware+0x58>
The 'if' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ffffffff81049e49: 48 89 f5 mov %rsi,%rbp
ffffffff81049e4c: 49 89 fc mov %rdi,%r12
ffffffff81049e4f: eb 0d jmp ffffffff81049e5e
<get_builtin_firmware+0x2e>
ffffffff81049e51: 48 83 c3 18 add $0x18,%rbx
ffffffff81049e55: 48 81 fb 30 22 ac 81 cmp $0xffffffff81ac2230,%rbx
ffffffff81049e5c: 74 2a je ffffffff81049e88
<get_builtin_firmware+0x58>
ffffffff81049e5e: 48 8b 33 mov (%rbx),%rsi
ffffffff81049e61: 48 89 ef mov %rbp,%rdi
ffffffff81049e64: e8 f7 1e 36 00 callq ffffffff813abd60
<strcmp>
ffffffff81049e69: 85 c0 test %eax,%eax
ffffffff81049e6b: 75 e4 jne ffffffff81049e51
<get_builtin_firmware+0x21>