Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ubsan: pincrtrl warning #144

Closed
shenki opened this issue Mar 22, 2018 · 2 comments
Closed

ubsan: pincrtrl warning #144

shenki opened this issue Mar 22, 2018 · 2 comments
Assignees
@amboar
Labels
bug

Comments

@shenki
Copy link
Member

shenki commented Mar 22, 2018

e156398bfcad44943ea4881a390b8b816c854593
v4.16-rc6-119-ge156398bfcad

from Joel's experimental 4.16 tree, on a qemu romulus machine

[   26.624869] UBSAN: Undefined behaviour in ./arch/arm/include/asm/bitops.h:297:17
[   26.627188] negation of -2147483648 cannot be represented in type 'int':
[   26.628844] CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc6-00118-g671c39af8e7d-dirty #269
[   26.629965] Hardware name: Generic DT based system
[   26.634039] [<80016978>] (unwind_backtrace) from [<80012af8>] (show_stack+0x20/0x24)
[   26.635105] [<80012af8>] (show_stack) from [<80929cfc>] (dump_stack+0x20/0x28)
[   26.636571] [<80929cfc>] (dump_stack) from [<8049a178>] (ubsan_epilogue+0x14/0x60)
[   26.637785] [<8049a178>] (ubsan_epilogue) from [<8049a694>] (__ubsan_handle_negate_overflow+0xd0/0xf4)
[   26.638634] [<8049a694>] (__ubsan_handle_negate_overflow) from [<804a87dc>] (aspeed_sig_expr_eval+0x2fc/0x43c)
[   26.639900] [<804a87dc>] (aspeed_sig_expr_eval) from [<804a8df0>] (aspeed_disable_sig.part.1+0x54/0x148)
[   26.640854] [<804a8df0>] (aspeed_disable_sig.part.1) from [<804a9854>] (aspeed_gpio_request_enable+0x120/0x218)
[   26.641794] [<804a9854>] (aspeed_gpio_request_enable) from [<804a3250>] (pin_request+0x100/0x50c)
[   26.642536] [<804a3250>] (pin_request) from [<804a3d08>] (pinmux_request_gpio+0x60/0xa0)
[   26.643188] [<804a3d08>] (pinmux_request_gpio) from [<804a0adc>] (pinctrl_gpio_request+0x1d4/0x2ec)
[   26.643881] [<804a0adc>] (pinctrl_gpio_request) from [<804baff0>] (aspeed_gpio_request+0x128/0x1ec)
[   26.644685] [<804baff0>] (aspeed_gpio_request) from [<804ad414>] (gpiod_request_commit+0x10c/0x224)
[   26.645570] [<804ad414>] (gpiod_request_commit) from [<804b00d4>] (gpiod_request+0x58/0x180)
[   26.646226] [<804b00d4>] (gpiod_request) from [<804b5714>] (gpiod_get_index+0xbc/0x400)
[   26.646863] [<804b5714>] (gpiod_get_index) from [<804aa938>] (devm_gpiod_get_index+0x58/0x94)
[   26.647507] [<804aa938>] (devm_gpiod_get_index) from [<804aa994>] (devm_gpiod_get+0x20/0x24)
[   26.648159] [<804aa994>] (devm_gpiod_get) from [<806ac594>] (fsi_master_gpio_probe+0x7c/0x2b0)
[   26.648838] [<806ac594>] (fsi_master_gpio_probe) from [<8051bb50>] (platform_drv_probe+0x88/0x170)
[   26.649498] [<8051bb50>] (platform_drv_probe) from [<80518418>] (driver_probe_device+0x484/0x908)
[   26.650136] [<80518418>] (driver_probe_device) from [<805189b8>] (__driver_attach+0x11c/0x180)
[   26.650833] [<805189b8>] (__driver_attach) from [<805145c8>] (bus_for_each_dev+0xb0/0x104)
[   26.651642] [<805145c8>] (bus_for_each_dev) from [<80518cd8>] (driver_attach+0x38/0x54)
[   26.652345] [<80518cd8>] (driver_attach) from [<8051572c>] (bus_add_driver+0x1ec/0x3f8)
[   26.652929] [<8051572c>] (bus_add_driver) from [<8051a0bc>] (driver_register+0xe4/0x1c8)
[   26.653543] [<8051a0bc>] (driver_register) from [<8051ccc4>] (__platform_driver_register+0x74/0x9c)
[   26.654265] [<8051ccc4>] (__platform_driver_register) from [<80b4b03c>] (fsi_master_gpio_driver_init+0x20/0x28)
[   26.655330] [<80b4b03c>] (fsi_master_gpio_driver_init) from [<80b18574>] (do_one_initcall+0x15c/0x260)
[   26.656156] [<80b18574>] (do_one_initcall) from [<80b1891c>] (kernel_init_freeable+0x2a4/0x388)
[   26.656817] [<80b1891c>] (kernel_init_freeable) from [<8094feb4>] (kernel_init+0x1c/0x124)
[   26.657436] [<8094feb4>] (kernel_init) from [<800090f0>] (ret_from_fork+0x14/0x24)
[   26.657965] Exception stack(0x97d03fb0 to 0x97d03ff8)
[   26.658604] 3fa0:                                     00000000 00000000 00000000 00000000
[   26.659406] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   26.660149] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000

#0  __ubsan_handle_negate_overflow (data=0x80000000, old_val=2147483648) at lib/ubsan.c:220
        flags = 2546226464
        old_val_str = " Uė\034:З\b:З0\313S\200d\307\"\200 Uė\000\000\000\000D:З :ЗpqT\200"
#1  0x804a87dc in ffs (x=<optimized out>) at ./arch/arm/include/asm/bitops.h:297
No locals.
#2  __ffs (x=<optimized out>) at ./arch/arm/include/asm/bitops.h:306
No locals.
#3  aspeed_sig_desc_eval (map=<optimized out>, enabled=<optimized out>, desc=<optimized out>) at drivers/pinctrl/aspeed/pinctrl-aspeed.c:127
        ret = -2133780044
        raw = 134193152
#4  aspeed_sig_expr_eval (expr=0x80981f84 <sig_expr_NORD2_PNOR>, enabled=false, maps=0x0) at drivers/pinctrl/aspeed/pinctrl-aspeed.c:160
        desc = 0x80981f94 <sig_descs_NORD2_PNOR>
        i = 0
#5  0x804a8df0 in aspeed_sig_expr_disable (maps=<optimized out>, expr=<optimized out>) at drivers/pinctrl/aspeed/pinctrl-aspeed.c:274
        ret = -2133770768
#6  aspeed_disable_sig (exprs=0x80d13dec <sig_exprs_NORD2>, maps=0x80d130fc <aspeed_g5_pinctrl_data>)
    at drivers/pinctrl/aspeed/pinctrl-aspeed.c:301
        ret = -2133770768
#7  0x804a9854 in aspeed_disable_sig (maps=<optimized out>, exprs=<optimized out>) at drivers/pinctrl/aspeed/pinctrl-aspeed.c:539
No locals.
#8  aspeed_gpio_request_enable (pctldev=0x80d119b4, range=0x80000000, offset=0) at drivers/pinctrl/aspeed/pinctrl-aspeed.c:507
        pdata = 0x80d130fc <aspeed_g5_pinctrl_data>
        prios = 0x80d13dd8 <pin_exprs_210+8>
        funcs = 0x80d13dec <sig_exprs_NORD2>
#9  0x804a3250 in pin_request (pctldev=0x97c6d300, pin=210, owner=0x931c9840 "1e780000.gpio:490", gpio_range=0x97eba5ac)
    at drivers/pinctrl/pinmux.c:142
        ops = 0x8097fed0 <aspeed_g5_pinmux_ops>
        status = -2137522480
#10 0x804a3d08 in pinmux_request_gpio (pctldev=0x97c6d300, range=0x97eba5ac, pin=210, gpio=2468124736) at drivers/pinctrl/pinmux.c:248
        ret = -1746164308
#11 0x804a0adc in pinctrl_gpio_request (gpio=490) at drivers/pinctrl/core.c:762
        pctldev = 0x97c6d300
        range = 0x97eba5ac
        ret = 0
#12 0x804baff0 in aspeed_gpio_request (chip=0x9769ab90, offset=210) at drivers/gpio/gpio-aspeed.c:575
No locals.
#13 0x804ad414 in gpiod_request_commit (desc=0x930c3680, 
    label=0x804baec8 <aspeed_gpio_request> "\r\300\240\341\360\337-\351\004\260L\342\f\320M\342\004\340", <incomplete sequence \345>)
    at drivers/gpio/gpiolib.c:2165
        chip = 0x9769ab90
        status = -2142523704
        flags = 3360
#14 0x804b00d4 in gpiod_request (desc=0x930c3680, label=0x80a454f8 "data") at drivers/gpio/gpiolib.c:2232
        status = 1
        gdev = 0x977f9000
        descriptor = {modname = 0x80a78c0c "gpiolib", function = 0x80988a54 <__func__.38458> "gpiod_request", 
          filename = 0x80a783fc "drivers/gpio/gpiolib.c", format = 0x80a787b8 "gpio-%d (%s): %s: status %d\n", lineno = 2240, flags = 0, 
          key = {dd_key_true = <incomplete type>, dd_key_false = <incomplete type>}}
        descriptor = {modname = 0x80a78c0c "gpiolib", function = 0x80988a54 <__func__.38458> "gpiod_request", 
          filename = 0x80a783fc "drivers/gpio/gpiolib.c", format = 0x80a787b8 "gpio-%d (%s): %s: status %d\n", lineno = 2240, flags = 0, 
          key = {dd_key_true = <incomplete type>, dd_key_false = <incomplete type>}}
#15 0x804b5714 in gpiod_get_index (dev=0x97e5c010, con_id=0x80a454f8 "data", idx=0, flags=2161188748) at drivers/gpio/gpiolib.c:3700
        desc = 0x930c3680
        lookupflags = GPIO_ACTIVE_HIGH
#16 0x804aa938 in devm_gpiod_get_index (dev=0x97e5c010, con_id=0x80a454f8 "data", idx=0, flags=GPIOD_ASIS) at drivers/gpio/devres.c:114
        desc = 0x80a454f8
#17 0x804aa994 in devm_gpiod_get (dev=0x80d119b4, 
    con_id=0x80000000 "<?xml version=\"1.0\" standalone='no'?><!--*-nxml-*-->\n<!DOCTYPE service-group SYSTEM \"avahi-service.dtd\">\n\n<!--\n  This file is part of avahi.\n \n  avahi is free software; you can redistribute it and/or "..., flags=GPIOD_ASIS)
    at drivers/gpio/devres.c:68
No locals.
#18 0x806ac5bc in fsi_master_gpio_probe (pdev=0x97e5c000) at drivers/fsi/fsi-master-gpio.c:649
        rc = -2133780044
#19 0x8051bb50 in platform_drv_probe (_dev=0x97e5c010) at drivers/base/platform.c:577
        ret = -2140486376
#20 0x80518418 in really_probe (drv=<optimized out>, dev=<optimized out>) at drivers/base/dd.c:449
        descriptor = {modname = 0x80a84f98 "dd", function = 0x8098d82c <__func__.32424> "really_probe", 
          filename = 0x80a7c9f4 "drivers/base/dd.c", format = 0x80a7c9a0 "Driver %s force probe deferral\n", lineno = 400, flags = 0, 
          key = {dd_key_true = <incomplete type>, dd_key_false = <incomplete type>}}
        descriptor = {modname = 0x80a84f98 "dd", function = 0x8098d82c <__func__.32424> "really_probe", 
          filename = 0x80a7c9f4 "drivers/base/dd.c", format = 0x80a7c9c0 "bus: '%s': %s: probing driver %s with device %s\n", lineno = 413, 
          flags = 0, key = {dd_key_true = <incomplete type>, dd_key_false = <incomplete type>}}
        descriptor = {modname = 0x80a84f98 "dd", function = 0x8098d82c <__func__.32424> "really_probe", 
          filename = 0x80a7c9f4 "drivers/base/dd.c", format = 0x80a7ca2c "bus: '%s': %s: bound device %s to driver %s\n", lineno = 485, 
          flags = 0, key = {dd_key_true = <incomplete type>, dd_key_false = <incomplete type>}}
        descriptor = {modname = 0x80a84f98 "dd", function = 0x8098d82c <__func__.32424> "really_probe", 
          filename = 0x80a7c9f4 "drivers/base/dd.c", format = 0x80a7ca5c "Driver %s requests probe deferral\n", lineno = 508, flags = 0, 
          key = {dd_key_true = <incomplete type>, dd_key_false = <incomplete type>}}
        descriptor = {modname = 0x80a84f98 "dd", function = 0x8098d82c <__func__.32424> "really_probe", 
          filename = 0x80a7c9f4 "drivers/base/dd.c", format = 0x80a7ca80 "%s: probe of %s rejects match %d\n", lineno = 514, flags = 0, 
          key = {dd_key_true = <incomplete type>, dd_key_false = <incomplete type>}}
#21 driver_probe_device (drv=0x80dafe64 <fsi_master_gpio_driver+20>, dev=0x97e5c010) at drivers/base/dd.c:591
        __func__ = "driver_probe_device"
#22 0x805189b8 in __driver_attach (dev=0x97e5c010, data=0x80dafe64 <fsi_master_gpio_driver+20>) at drivers/base/dd.c:825
No locals.
#23 0x805145c8 in bus_for_each_dev (bus=0x80d35f68, start=0x97e57ab0, data=0x80dafe64 <fsi_master_gpio_driver+20>, 
    fn=0x8051889c <__driver_attach>) at drivers/base/bus.c:311
        i = {i_klist = 0x97c60f4c, i_cur = 0x97e57ab0}
        error = -1746568528
#24 0x80518cd8 in driver_attach (drv=0x80dafe64 <fsi_master_gpio_driver+20>) at drivers/base/dd.c:844
---Type <return> to continue, or q <return> to quit---
No locals.
#25 0x8051572c in bus_add_driver (drv=0x80dafe64 <fsi_master_gpio_driver+20>) at drivers/base/bus.c:667
        __func__ = "bus_add_driver"
#26 0x8051a0bc in driver_register (drv=0x80dafe64 <fsi_master_gpio_driver+20>) at drivers/base/driver.c:166
        ret = -2133620400
#27 0x8051ccc4 in __platform_driver_register (drv=0x80dafe50 <fsi_master_gpio_driver>, owner=0x0) at drivers/base/platform.c:635
No locals.
#28 0x80b4b03c in fsi_master_gpio_driver_init () at drivers/fsi/fsi-master-gpio.c:732
No locals.
#29 0x80b18574 in do_one_initcall (fn=0x80b4b01c <fsi_master_gpio_driver_init>) at init/main.c:833
        ret = 0
        msgbuf = "\000>З\024^\006\200|\305\"\200,?З\200e\272\200|g\272\200\000\000\000\000\006\000\000\000\000\000\000\000\006\000\000\000\270֨\200\354x\261\200,Ѫ\200D?ЗU\252\277\237\000\000\000"
#30 0x80b1891c in do_initcall_level (level=<optimized out>) at init/main.c:899
        fn = 0x80b7ec50 <__initcall_scom_init6>
#31 do_initcalls () at init/main.c:907
        level = 7
#32 do_basic_setup () at init/main.c:925
@shenki shenki added the bug label Mar 22, 2018
@amboar
Copy link
Member

amboar commented Apr 9, 2018

This appears to be a problem with ffs() using a signed value (int) as its parameter type. Shifting through the top bit of signed values gives undefined behaviour. As such this is less a problem with the ASPEED pinctrl driver and more a kernel-wide issue.

shenki pushed a commit that referenced this issue Jun 26, 2018
@borkmann @gregkh
tls: fix use-after-free in tls_push_record
7fd98de 
[ Upstream commit a447da7 ]

syzkaller managed to trigger a use-after-free in tls like the
following:

  BUG: KASAN: use-after-free in tls_push_record.constprop.15+0x6a2/0x810 [tls]
  Write of size 1 at addr ffff88037aa08000 by task a.out/2317

  CPU: 3 PID: 2317 Comm: a.out Not tainted 4.17.0+ #144
  Hardware name: LENOVO 20FBCTO1WW/20FBCTO1WW, BIOS N1FET47W (1.21 ) 11/28/2016
  Call Trace:
   dump_stack+0x71/0xab
   print_address_description+0x6a/0x280
   kasan_report+0x258/0x380
   ? tls_push_record.constprop.15+0x6a2/0x810 [tls]
   tls_push_record.constprop.15+0x6a2/0x810 [tls]
   tls_sw_push_pending_record+0x2e/0x40 [tls]
   tls_sk_proto_close+0x3fe/0x710 [tls]
   ? tcp_check_oom+0x4c0/0x4c0
   ? tls_write_space+0x260/0x260 [tls]
   ? kmem_cache_free+0x88/0x1f0
   inet_release+0xd6/0x1b0
   __sock_release+0xc0/0x240
   sock_close+0x11/0x20
   __fput+0x22d/0x660
   task_work_run+0x114/0x1a0
   do_exit+0x71a/0x2780
   ? mm_update_next_owner+0x650/0x650
   ? handle_mm_fault+0x2f5/0x5f0
   ? __do_page_fault+0x44f/0xa50
   ? mm_fault_error+0x2d0/0x2d0
   do_group_exit+0xde/0x300
   __x64_sys_exit_group+0x3a/0x50
   do_syscall_64+0x9a/0x300
   ? page_fault+0x8/0x30
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

This happened through fault injection where aead_req allocation in
tls_do_encryption() eventually failed and we returned -ENOMEM from
the function. Turns out that the use-after-free is triggered from
tls_sw_sendmsg() in the second tls_push_record(). The error then
triggers a jump to waiting for memory in sk_stream_wait_memory()
resp. returning immediately in case of MSG_DONTWAIT. What follows is
the trim_both_sgl(sk, orig_size), which drops elements from the sg
list added via tls_sw_sendmsg(). Now the use-after-free gets triggered
when the socket is being closed, where tls_sk_proto_close() callback
is invoked. The tls_complete_pending_work() will figure that there's
a pending closed tls record to be flushed and thus calls into the
tls_push_pending_closed_record() from there. ctx->push_pending_record()
is called from the latter, which is the tls_sw_push_pending_record()
from sw path. This again calls into tls_push_record(). And here the
tls_fill_prepend() will panic since the buffer address has been freed
earlier via trim_both_sgl(). One way to fix it is to move the aead
request allocation out of tls_do_encryption() early into tls_push_record().
This means we don't prep the tls header and advance state to the
TLS_PENDING_CLOSED_RECORD before allocation which could potentially
fail happened. That fixes the issue on my side.

Fixes: 3c4d755 ("tls: kernel TLS support")
Reported-by: syzbot+5c74af81c547738e1684@syzkaller.appspotmail.com
Reported-by: syzbot+709f2810a6a05f11d4d3@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
@amboar
Copy link
Member

amboar commented Mar 19, 2019
edited
Loading

Closing as a "false positive" based on the above.

@amboar amboar closed this as completed Mar 19, 2019
shenki pushed a commit that referenced this issue Feb 17, 2022
@gregkh
ARM: 9170/1: fix panic when kasan and kprobe are enabled
1515e72 
commit 8b59b0a upstream.

arm32 uses software to simulate the instruction replaced
by kprobe. some instructions may be simulated by constructing
assembly functions. therefore, before executing instruction
simulation, it is necessary to construct assembly function
execution environment in C language through binding registers.
after kasan is enabled, the register binding relationship will
be destroyed, resulting in instruction simulation errors and
causing kernel panic.

the kprobe emulate instruction function is distributed in three
files: actions-common.c actions-arm.c actions-thumb.c, so disable
KASAN when compiling these files.

for example, use kprobe insert on cap_capable+20 after kasan
enabled, the cap_capable assembly code is as follows:
<cap_capable>:
e92d47f0	push	{r4, r5, r6, r7, r8, r9, sl, lr}
e1a05000	mov	r5, r0
e280006c	add	r0, r0, #108    ; 0x6c
e1a04001	mov	r4, r1
e1a06002	mov	r6, r2
e59fa090	ldr	sl, [pc, #144]  ;
ebfc7bf8	bl	c03aa4b4 <__asan_load4>
e595706c	ldr	r7, [r5, #108]  ; 0x6c
e2859014	add	r9, r5, #20
......
The emulate_ldr assembly code after enabling kasan is as follows:
c06f1384 <emulate_ldr>:
e92d47f0	push	{r4, r5, r6, r7, r8, r9, sl, lr}
e282803c	add	r8, r2, #60     ; 0x3c
e1a05000	mov	r5, r0
e7e37855	ubfx	r7, r5, #16, #4
e1a00008	mov	r0, r8
e1a09001	mov	r9, r1
e1a04002	mov	r4, r2
ebf35462	bl	c03c6530 <__asan_load4>
e357000f	cmp	r7, #15
e7e36655	ubfx	r6, r5, #12, #4
e205a00f	and	sl, r5, #15
0a000001	beq	c06f13bc <emulate_ldr+0x38>
e0840107	add	r0, r4, r7, lsl #2
ebf3545c	bl	c03c6530 <__asan_load4>
e084010a	add	r0, r4, sl, lsl #2
ebf3545a	bl	c03c6530 <__asan_load4>
e2890010	add	r0, r9, #16
ebf35458	bl	c03c6530 <__asan_load4>
e5990010	ldr	r0, [r9, #16]
e12fff30	blx	r0
e356000f	cm	r6, #15
1a000014	bne	c06f1430 <emulate_ldr+0xac>
e1a06000	mov	r6, r0
e2840040	add	r0, r4, #64     ; 0x40
......

when running in emulate_ldr to simulate the ldr instruction, panic
occurred, and the log is as follows:
Unable to handle kernel NULL pointer dereference at virtual address
00000090
pgd = ecb46400
[00000090] *pgd=2e0fa003, *pmd=00000000
Internal error: Oops: 206 [#1] SMP ARM
PC is at cap_capable+0x14/0xb0
LR is at emulate_ldr+0x50/0xc0
psr: 600d0293 sp : ecd63af8  ip : 00000004  fp : c0a7c30c
r10: 00000000  r9 : c30897f4  r8 : ecd63cd4
r7 : 0000000f  r6 : 0000000a  r5 : e59fa090  r4 : ecd63c98
r3 : c06ae294  r2 : 00000000  r1 : b7611300  r0 : bf4ec008
Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 32c5387d  Table: 2d546400  DAC: 55555555
Process bash (pid: 1643, stack limit = 0xecd60190)
(cap_capable) from (kprobe_handler+0x218/0x340)
(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)
(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)
(do_undefinstr) from (__und_svc_finish+0x0/0x30)
(__und_svc_finish) from (cap_capable+0x18/0xb0)
(cap_capable) from (cap_vm_enough_memory+0x38/0x48)
(cap_vm_enough_memory) from
(security_vm_enough_memory_mm+0x48/0x6c)
(security_vm_enough_memory_mm) from
(copy_process.constprop.5+0x16b4/0x25c8)
(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)
(_do_fork) from (SyS_clone+0x1c/0x24)
(SyS_clone) from (__sys_trace_return+0x0/0x10)
Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)

Fixes: 35aa1df ("ARM kprobes: instruction single-stepping support")
Fixes: 4210157 ("ARM: 9017/2: Enable KASan for ARM")
Signed-off-by: huangshaobo <huangshaobo6@huawei.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
amboar pushed a commit to amboar/linux that referenced this issue Sep 19, 2024
@MrVan @tehcaster
mm, slub: avoid zeroing kmalloc redzone
59090e4 
Since commit 946fa0d ("mm/slub: extend redzone check to extra
allocated kmalloc space than requested"), setting orig_size treats
the wasted space (object_size - orig_size) as a redzone. However with
init_on_free=1 we clear the full object->size, including the redzone.

Additionally we clear the object metadata, including the stored orig_size,
making it zero, which makes check_object() treat the whole object as a
redzone.

These issues lead to the following BUG report with "slub_debug=FUZ
init_on_free=1":

[    0.000000] =============================================================================
[    0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten
[    0.000000] -----------------------------------------------------------------------------
[    0.000000]
[    0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc
[    0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc
[    0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff)
[    0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8
[    0.000000]
[    0.000000] Redzone  ffff000010032850: cc cc cc cc cc cc cc cc                          ........
[    0.000000] Object   ffff000010032858: cc cc cc cc cc cc cc cc                          ........
[    0.000000] Redzone  ffff000010032860: cc cc cc cc cc cc cc cc                          ........
[    0.000000] Padding  ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00              ............
[    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 openbmc#144
[    0.000000] Hardware name: NXP i.MX95 19X19 board (DT)
[    0.000000] Call trace:
[    0.000000]  dump_backtrace+0x90/0xe8
[    0.000000]  show_stack+0x18/0x24
[    0.000000]  dump_stack_lvl+0x74/0x8c
[    0.000000]  dump_stack+0x18/0x24
[    0.000000]  print_trailer+0x150/0x218
[    0.000000]  check_object+0xe4/0x454
[    0.000000]  free_to_partial_list+0x2f8/0x5ec

To address the issue, use orig_size to clear the used area. And restore
the value of orig_size after clear the remaining area.

When CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns
s->object_size. So when using memset to init the area, the size can simply
be orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not
enabled. And orig_size can never be bigger than object_size.

Fixes: 946fa0d ("mm/slub: extend redzone check to extra allocated kmalloc space than requested")
Cc: <stable@vger.kernel.org>
Reviewed-by: Feng Tang <feng.tang@intel.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amboar amboar

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shenki @amboar