From: George Kennedy <george.kennedy@oracle.com>
To: dvyukov@google.com, konrad.wilk@oracle.com
Cc: george.kennedy@oracle.com, kasan-dev@googlegroups.com,
glider@google.com, aryabinin@virtuozzo.com, pjones@redhat.com,
konrad@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1] iscsi_ibft: KASAN false positive failure occurs in ibft_init()
Date: Wed, 27 Jan 2021 15:47:57 -0500 [thread overview]
Message-ID: <1611780477-1415-1-git-send-email-george.kennedy@oracle.com> (raw)
Hi Dmitry,
On 1/27/2021 1:48 PM, Dmitry Vyukov wrote:
> On Wed, Jan 27, 2021 at 7:44 PM Konrad Rzeszutek Wilk
> <konrad.wilk@oracle.com> wrote:
>> On Tue, Jan 26, 2021 at 01:03:21PM -0500, George Kennedy wrote:
>>> During boot of kernel with CONFIG_KASAN the following KASAN false
>>> positive failure will occur when ibft_init() reads the
>>> ACPI iBFT table: BUG: KASAN: use-after-free in ibft_init
>>>
>>> The ACPI iBFT table is not allocated, and the iscsi driver uses
>>> a pointer to it to calculate checksum, etc. KASAN complains
>>> about this pointer with use-after-free, which this is not.
>>>
>> Andrey, Alexander, Dmitry,
>>
>> I think this is the right way for this, but was wondering if you have
>> other suggestions?
>>
>> Thanks!
> Hi George, Konrad,
>
> Please provide a sample KASAN report and kernel version to match line numbers.
5.4.17-2102.200.0.0.20210106_0000
[ 24.413536] iBFT detected.
[ 24.414074]
==================================================================
[ 24.407342] BUG: KASAN: use-after-free in ibft_init+0x134/0xb8b
[ 24.407342] Read of size 4 at addr ffff8880be452004 by task swapper/0/1
[ 24.407342]
[ 24.407342] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.17-2102.200.0.0.20210106_0000.syzk #1
[ 24.407342] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
[ 24.407342] Call Trace:
[ 24.407342] dump_stack+0xd4/0x119
[ 24.407342] ? ibft_init+0x134/0xb8b
[ 24.407342] print_address_description.constprop.6+0x20/0x220
[ 24.407342] ? ibft_init+0x134/0xb8b
[ 24.407342] ? ibft_init+0x134/0xb8b
[ 24.407342] __kasan_report.cold.9+0x37/0x77
[ 24.407342] ? ibft_init+0x134/0xb8b
[ 24.407342] kasan_report+0x14/0x1b
[ 24.407342] __asan_report_load_n_noabort+0xf/0x11
[ 24.407342] ibft_init+0x134/0xb8b
[ 24.407342] ? dmi_sysfs_init+0x1a5/0x1a5
[ 24.407342] ? dmi_walk+0x72/0x89
[ 24.407342] ? ibft_check_initiator_for+0x159/0x159
[ 24.407342] ? rvt_init_port+0x110/0x101
[ 24.407342] ? ibft_check_initiator_for+0x159/0x159
[ 24.407342] do_one_initcall+0xc3/0x44d
[ 24.407342] ? perf_trace_initcall_level+0x410/0x405
[ 24.407342] kernel_init_freeable+0x551/0x673
[ 24.407342] ? start_kernel+0x94b/0x94b
[ 24.407342] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x1c
[ 24.407342] ? __kasan_check_write+0x14/0x16
[ 24.407342] ? rest_init+0xe6/0xe6
[ 24.407342] kernel_init+0x16/0x1bd
[ 24.407342] ? rest_init+0xe6/0xe6
[ 24.407342] ret_from_fork+0x2b/0x36
[ 24.407342]
[ 24.407342] The buggy address belongs to the page:
[ 24.407342] page:ffffea0002f91480 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1
[ 24.407342] flags: 0xfffffc0000000()
[ 24.407342] raw: 000fffffc0000000 ffffea0002fca588 ffffea0002fb1a88 0000000000000000
[ 24.407342] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[ 24.407342] page dumped because: kasan: bad access detected
[ 24.407342]
[ 24.407342] Memory state around the buggy address:
[ 24.407342] ffff8880be451f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 24.407342] ffff8880be451f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 24.407342] >ffff8880be452000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 24.407342] ^
[ 24.407342] ffff8880be452080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 24.407342] ffff8880be452100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 24.407342]
==================================================================
[ 24.407342] Disabling lock debugging due to kernel taint
[ 24.451021] Kernel panic - not syncing: panic_on_warn set ...
[ 24.452002] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B 5.4.17-2102.200.0.0.20210106_0000.syzk #1
[ 24.452002] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
[ 24.452002] Call Trace:
[ 24.452002] dump_stack+0xd4/0x119
[ 24.452002] ? ibft_init+0x102/0xb8b
[ 24.452002] panic+0x28f/0x6e0
[ 24.452002] ? __warn_printk+0xe0/0xe0
[ 24.452002] ? ibft_init+0x134/0xb8b
[ 24.452002] ? add_taint+0x68/0xb3
[ 24.452002] ? add_taint+0x68/0xb3
[ 24.452002] ? ibft_init+0x134/0xb8b
[ 24.452002] ? ibft_init+0x134/0xb8b
[ 24.452002] end_report+0x4c/0x54
[ 24.452002] __kasan_report.cold.9+0x55/0x77
[ 24.452002] ? ibft_init+0x134/0xb8b
[ 24.452002] kasan_report+0x14/0x1b
[ 24.452002] __asan_report_load_n_noabort+0xf/0x11
[ 24.452002] ibft_init+0x134/0xb8b
[ 24.452002] ? dmi_sysfs_init+0x1a5/0x1a5
[ 24.452002] ? dmi_walk+0x72/0x89
[ 24.452002] ? ibft_check_initiator_for+0x159/0x159
[ 24.452002] ? rvt_init_port+0x110/0x101
[ 24.452002] ? ibft_check_initiator_for+0x159/0x159
[ 24.452002] do_one_initcall+0xc3/0x44d
[ 24.452002] ? perf_trace_initcall_level+0x410/0x405
[ 24.452002] kernel_init_freeable+0x551/0x673
[ 24.452002] ? start_kernel+0x94b/0x94b
[ 24.452002] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x1c
[ 24.452002] ? __kasan_check_write+0x14/0x16
[ 24.452002] ? rest_init+0xe6/0xe6
[ 24.452002] kernel_init+0x16/0x1bd
[ 24.452002] ? rest_init+0xe6/0xe6
[ 24.452002] ret_from_fork+0x2b/0x36
[ 24.452002] Dumping ftrace buffer:
[ 24.452002] ---------------------------------
[ 24.452002] swapper/-1 1.... 24564337us : rdmaip_init: 2924: rdmaip_init: Active Bonding is DISABLED
[ 24.452002] ---------------------------------
[ 24.452002] Kernel Offset: disabled
[ 24.452002] Rebooting in 1 seconds..
> Why does KASAN think the address is freed? For that to happen that
> memory should have been freed. I don't remember any similar false
> positives from KASAN, so this looks a bit suspicious.
I'm not sure why KASAN thinks the address is freed. There are other modules where KASAN/KCOV is disabled on boot.
Could this be for a similar reason?
Thank you,
George
>>> Signed-off-by: George Kennedy <george.kennedy@oracle.com>
>>> ---
>>> drivers/firmware/Makefile | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/drivers/firmware/Makefile b/drivers/firmware/Makefile
>>> index 5e013b6..30ddab5 100644
>>> --- a/drivers/firmware/Makefile
>>> +++ b/drivers/firmware/Makefile
>>> @@ -14,6 +14,9 @@ obj-$(CONFIG_INTEL_STRATIX10_SERVICE) += stratix10-svc.o
>>> obj-$(CONFIG_INTEL_STRATIX10_RSU) += stratix10-rsu.o
>>> obj-$(CONFIG_ISCSI_IBFT_FIND) += iscsi_ibft_find.o
>>> obj-$(CONFIG_ISCSI_IBFT) += iscsi_ibft.o
>>> +KASAN_SANITIZE_iscsi_ibft.o := n
>>> +KCOV_INSTRUMENT_iscsi_ibft.o := n
>>> +
>>> obj-$(CONFIG_FIRMWARE_MEMMAP) += memmap.o
>>> obj-$(CONFIG_RASPBERRYPI_FIRMWARE) += raspberrypi.o
>>> obj-$(CONFIG_FW_CFG_SYSFS) += qemu_fw_cfg.o
>>> --
>>> 1.8.3.1
>>>
next reply other threads:[~2021-01-27 20:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-27 20:47 George Kennedy [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-01-26 18:03 [PATCH 1/1] iscsi_ibft: KASAN false positive failure occurs in ibft_init() George Kennedy
2021-01-27 18:44 ` Konrad Rzeszutek Wilk
2021-01-27 18:48 ` Dmitry Vyukov
[not found] ` <cc712c9c-7786-bb26-7082-04e564df98aa@oracle.com>
2021-01-27 21:10 ` Dmitry Vyukov
2021-02-03 19:28 ` Konrad Rzeszutek Wilk
2021-02-03 19:35 ` Dmitry Vyukov
2021-02-10 21:51 ` George Kennedy
2021-02-12 13:30 ` George Kennedy
2021-02-12 13:51 ` Dmitry Vyukov
2021-02-12 15:36 ` David Hildenbrand
2021-02-12 18:05 ` George Kennedy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1611780477-1415-1-git-send-email-george.kennedy@oracle.com \
--to=george.kennedy@oracle.com \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=konrad.wilk@oracle.com \
--cc=konrad@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.