* [PATCH] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
@ 2022-01-19 1:50 ` He Ying
0 siblings, 0 replies; 10+ messages in thread
From: He Ying @ 2022-01-19 1:50 UTC (permalink / raw)
To: catalin.marinas, mpe, benh, paulus, npiggin, christophe.leroy,
sxwjean, peterz, keescook
Cc: linuxppc-dev, linux-kernel, heying24
The following KASAN warning was reported in our kernel.
BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
Read of size 4 at addr d216f958 by task ps/14437
CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
Call Trace:
[daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
[daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
[daa63908] [c035d6bc] kasan_report+0x1ac/0x218
[daa63948] [c00496e8] get_wchan+0x188/0x250
[daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
[daa63b98] [c0455ac8] proc_single_show+0x98/0x170
[daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
[daa63c38] [c03cb47c] seq_read+0x1dc/0x290
[daa63d68] [c037fc94] vfs_read+0x164/0x510
[daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
[daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
--- interrupt: c00 at 0x8fa8f4
LR = 0x8fa8cc
The buggy address belongs to the page:
page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
flags: 0x0()
raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
raw: 00000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
^
d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
After looking into this issue, I find the buggy address belongs
to the task stack region. It seems KASAN has something wrong.
I look into the code of __get_wchan in x86 architecture and
find the same issue has been resolved by the commit
f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
The solution could be applied to powerpc architecture too.
As Andrey Ryabinin said, get_wchan() is racy by design, it may
access volatile stack of running task, thus it may access
redzone in a stack frame and cause KASAN to warn about this.
Use READ_ONCE_NOCHECK() to silence these warnings.
Signed-off-by: He Ying <heying24@huawei.com>
---
arch/powerpc/kernel/process.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 984813a4d5dc..a75d20f23dac 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -2160,12 +2160,12 @@ static unsigned long ___get_wchan(struct task_struct *p)
return 0;
do {
- sp = *(unsigned long *)sp;
+ sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
task_is_running(p))
return 0;
if (count > 0) {
- ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
+ ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
if (!in_sched_functions(ip))
return ip;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
@ 2022-01-19 1:50 ` He Ying
0 siblings, 0 replies; 10+ messages in thread
From: He Ying @ 2022-01-19 1:50 UTC (permalink / raw)
To: catalin.marinas, mpe, benh, paulus, npiggin, christophe.leroy,
sxwjean, peterz, keescook
Cc: linuxppc-dev, linux-kernel, heying24
The following KASAN warning was reported in our kernel.
BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
Read of size 4 at addr d216f958 by task ps/14437
CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
Call Trace:
[daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
[daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
[daa63908] [c035d6bc] kasan_report+0x1ac/0x218
[daa63948] [c00496e8] get_wchan+0x188/0x250
[daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
[daa63b98] [c0455ac8] proc_single_show+0x98/0x170
[daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
[daa63c38] [c03cb47c] seq_read+0x1dc/0x290
[daa63d68] [c037fc94] vfs_read+0x164/0x510
[daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
[daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
--- interrupt: c00 at 0x8fa8f4
LR = 0x8fa8cc
The buggy address belongs to the page:
page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
flags: 0x0()
raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
raw: 00000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
^
d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
After looking into this issue, I find the buggy address belongs
to the task stack region. It seems KASAN has something wrong.
I look into the code of __get_wchan in x86 architecture and
find the same issue has been resolved by the commit
f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
The solution could be applied to powerpc architecture too.
As Andrey Ryabinin said, get_wchan() is racy by design, it may
access volatile stack of running task, thus it may access
redzone in a stack frame and cause KASAN to warn about this.
Use READ_ONCE_NOCHECK() to silence these warnings.
Signed-off-by: He Ying <heying24@huawei.com>
---
arch/powerpc/kernel/process.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 984813a4d5dc..a75d20f23dac 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -2160,12 +2160,12 @@ static unsigned long ___get_wchan(struct task_struct *p)
return 0;
do {
- sp = *(unsigned long *)sp;
+ sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
task_is_running(p))
return 0;
if (count > 0) {
- ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
+ ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
if (!in_sched_functions(ip))
return ip;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
2022-01-19 1:50 ` He Ying
@ 2022-01-19 18:51 ` Kees Cook
-1 siblings, 0 replies; 10+ messages in thread
From: Kees Cook @ 2022-01-19 18:51 UTC (permalink / raw)
To: He Ying
Cc: catalin.marinas, mpe, benh, paulus, npiggin, christophe.leroy,
sxwjean, peterz, linuxppc-dev, linux-kernel
On Tue, Jan 18, 2022 at 08:50:25PM -0500, He Ying wrote:
> The following KASAN warning was reported in our kernel.
>
> BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
> Read of size 4 at addr d216f958 by task ps/14437
>
> CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
> Call Trace:
> [daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
> [daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
> [daa63908] [c035d6bc] kasan_report+0x1ac/0x218
> [daa63948] [c00496e8] get_wchan+0x188/0x250
> [daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
> [daa63b98] [c0455ac8] proc_single_show+0x98/0x170
> [daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
> [daa63c38] [c03cb47c] seq_read+0x1dc/0x290
> [daa63d68] [c037fc94] vfs_read+0x164/0x510
> [daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
> [daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
> --- interrupt: c00 at 0x8fa8f4
> LR = 0x8fa8cc
>
> The buggy address belongs to the page:
> page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
> flags: 0x0()
> raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
> raw: 00000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
> d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
> ^
> d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
> d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> After looking into this issue, I find the buggy address belongs
> to the task stack region. It seems KASAN has something wrong.
> I look into the code of __get_wchan in x86 architecture and
> find the same issue has been resolved by the commit
> f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
> The solution could be applied to powerpc architecture too.
>
> As Andrey Ryabinin said, get_wchan() is racy by design, it may
> access volatile stack of running task, thus it may access
> redzone in a stack frame and cause KASAN to warn about this.
>
> Use READ_ONCE_NOCHECK() to silence these warnings.
>
> Signed-off-by: He Ying <heying24@huawei.com>
Looks reasonable to me; thanks!
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
> ---
> arch/powerpc/kernel/process.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
> index 984813a4d5dc..a75d20f23dac 100644
> --- a/arch/powerpc/kernel/process.c
> +++ b/arch/powerpc/kernel/process.c
> @@ -2160,12 +2160,12 @@ static unsigned long ___get_wchan(struct task_struct *p)
> return 0;
>
> do {
> - sp = *(unsigned long *)sp;
> + sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
> if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
> task_is_running(p))
> return 0;
> if (count > 0) {
> - ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
> + ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
> if (!in_sched_functions(ip))
> return ip;
> }
> --
> 2.17.1
>
--
Kees Cook
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
@ 2022-01-19 18:51 ` Kees Cook
0 siblings, 0 replies; 10+ messages in thread
From: Kees Cook @ 2022-01-19 18:51 UTC (permalink / raw)
To: He Ying
Cc: catalin.marinas, linux-kernel, sxwjean, peterz, paulus, npiggin,
linuxppc-dev
On Tue, Jan 18, 2022 at 08:50:25PM -0500, He Ying wrote:
> The following KASAN warning was reported in our kernel.
>
> BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
> Read of size 4 at addr d216f958 by task ps/14437
>
> CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
> Call Trace:
> [daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
> [daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
> [daa63908] [c035d6bc] kasan_report+0x1ac/0x218
> [daa63948] [c00496e8] get_wchan+0x188/0x250
> [daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
> [daa63b98] [c0455ac8] proc_single_show+0x98/0x170
> [daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
> [daa63c38] [c03cb47c] seq_read+0x1dc/0x290
> [daa63d68] [c037fc94] vfs_read+0x164/0x510
> [daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
> [daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
> --- interrupt: c00 at 0x8fa8f4
> LR = 0x8fa8cc
>
> The buggy address belongs to the page:
> page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
> flags: 0x0()
> raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
> raw: 00000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
> d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
> ^
> d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
> d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> After looking into this issue, I find the buggy address belongs
> to the task stack region. It seems KASAN has something wrong.
> I look into the code of __get_wchan in x86 architecture and
> find the same issue has been resolved by the commit
> f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
> The solution could be applied to powerpc architecture too.
>
> As Andrey Ryabinin said, get_wchan() is racy by design, it may
> access volatile stack of running task, thus it may access
> redzone in a stack frame and cause KASAN to warn about this.
>
> Use READ_ONCE_NOCHECK() to silence these warnings.
>
> Signed-off-by: He Ying <heying24@huawei.com>
Looks reasonable to me; thanks!
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
> ---
> arch/powerpc/kernel/process.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
> index 984813a4d5dc..a75d20f23dac 100644
> --- a/arch/powerpc/kernel/process.c
> +++ b/arch/powerpc/kernel/process.c
> @@ -2160,12 +2160,12 @@ static unsigned long ___get_wchan(struct task_struct *p)
> return 0;
>
> do {
> - sp = *(unsigned long *)sp;
> + sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
> if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
> task_is_running(p))
> return 0;
> if (count > 0) {
> - ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
> + ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
> if (!in_sched_functions(ip))
> return ip;
> }
> --
> 2.17.1
>
--
Kees Cook
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH -v2] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
2022-01-19 1:50 ` He Ying
@ 2022-01-21 1:44 ` He Ying
-1 siblings, 0 replies; 10+ messages in thread
From: He Ying @ 2022-01-21 1:44 UTC (permalink / raw)
To: catalin.marinas, mpe, benh, paulus, npiggin, christophe.leroy,
sxwjean, peterz, keescook
Cc: linuxppc-dev, linux-kernel, heying24, huwanming, chenjingwen6
The following KASAN warning was reported in our kernel.
BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
Read of size 4 at addr d216f958 by task ps/14437
CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
Call Trace:
[daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
[daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
[daa63908] [c035d6bc] kasan_report+0x1ac/0x218
[daa63948] [c00496e8] get_wchan+0x188/0x250
[daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
[daa63b98] [c0455ac8] proc_single_show+0x98/0x170
[daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
[daa63c38] [c03cb47c] seq_read+0x1dc/0x290
[daa63d68] [c037fc94] vfs_read+0x164/0x510
[daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
[daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
--- interrupt: c00 at 0x8fa8f4
LR = 0x8fa8cc
The buggy address belongs to the page:
page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
flags: 0x0()
raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
raw: 00000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
^
d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
After looking into this issue, I find the buggy address belongs
to the task stack region. It seems KASAN has something wrong.
I look into the code of __get_wchan in x86 architecture and
find the same issue has been resolved by the commit
f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
The solution could be applied to powerpc architecture too.
As Andrey Ryabinin said, get_wchan() is racy by design, it may
access volatile stack of running task, thus it may access
redzone in a stack frame and cause KASAN to warn about this.
Use READ_ONCE_NOCHECK() to silence these warnings.
Reported-by: Wanming Hu <huwanming@huaweil.com>
Signed-off-by: He Ying <heying24@huawei.com>
Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---
Changelog:
v2:
* Add missing Reported-by and SoB tags
---
arch/powerpc/kernel/process.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 984813a4d5dc..a75d20f23dac 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -2160,12 +2160,12 @@ static unsigned long ___get_wchan(struct task_struct *p)
return 0;
do {
- sp = *(unsigned long *)sp;
+ sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
task_is_running(p))
return 0;
if (count > 0) {
- ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
+ ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
if (!in_sched_functions(ip))
return ip;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH -v2] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
@ 2022-01-21 1:44 ` He Ying
0 siblings, 0 replies; 10+ messages in thread
From: He Ying @ 2022-01-21 1:44 UTC (permalink / raw)
To: catalin.marinas, mpe, benh, paulus, npiggin, christophe.leroy,
sxwjean, peterz, keescook
Cc: chenjingwen6, huwanming, linuxppc-dev, linux-kernel, heying24
The following KASAN warning was reported in our kernel.
BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
Read of size 4 at addr d216f958 by task ps/14437
CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
Call Trace:
[daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
[daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
[daa63908] [c035d6bc] kasan_report+0x1ac/0x218
[daa63948] [c00496e8] get_wchan+0x188/0x250
[daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
[daa63b98] [c0455ac8] proc_single_show+0x98/0x170
[daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
[daa63c38] [c03cb47c] seq_read+0x1dc/0x290
[daa63d68] [c037fc94] vfs_read+0x164/0x510
[daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
[daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
--- interrupt: c00 at 0x8fa8f4
LR = 0x8fa8cc
The buggy address belongs to the page:
page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
flags: 0x0()
raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
raw: 00000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
^
d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
After looking into this issue, I find the buggy address belongs
to the task stack region. It seems KASAN has something wrong.
I look into the code of __get_wchan in x86 architecture and
find the same issue has been resolved by the commit
f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
The solution could be applied to powerpc architecture too.
As Andrey Ryabinin said, get_wchan() is racy by design, it may
access volatile stack of running task, thus it may access
redzone in a stack frame and cause KASAN to warn about this.
Use READ_ONCE_NOCHECK() to silence these warnings.
Reported-by: Wanming Hu <huwanming@huaweil.com>
Signed-off-by: He Ying <heying24@huawei.com>
Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---
Changelog:
v2:
* Add missing Reported-by and SoB tags
---
arch/powerpc/kernel/process.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 984813a4d5dc..a75d20f23dac 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -2160,12 +2160,12 @@ static unsigned long ___get_wchan(struct task_struct *p)
return 0;
do {
- sp = *(unsigned long *)sp;
+ sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
task_is_running(p))
return 0;
if (count > 0) {
- ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
+ ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
if (!in_sched_functions(ip))
return ip;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH -v2] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
2022-01-21 1:44 ` He Ying
@ 2022-02-17 8:20 ` He Ying
-1 siblings, 0 replies; 10+ messages in thread
From: He Ying @ 2022-02-17 8:20 UTC (permalink / raw)
To: catalin.marinas, mpe, benh, paulus, npiggin, christophe.leroy,
sxwjean, peterz, keescook
Cc: linuxppc-dev, linux-kernel, huwanming, chenjingwen6
Hi Michael,
Kindly ping. This patch may be missed. Would you please pick it? Or does
it need more review?
在 2022/1/21 9:44, He Ying 写道:
> The following KASAN warning was reported in our kernel.
>
> BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
> Read of size 4 at addr d216f958 by task ps/14437
>
> CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
> Call Trace:
> [daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
> [daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
> [daa63908] [c035d6bc] kasan_report+0x1ac/0x218
> [daa63948] [c00496e8] get_wchan+0x188/0x250
> [daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
> [daa63b98] [c0455ac8] proc_single_show+0x98/0x170
> [daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
> [daa63c38] [c03cb47c] seq_read+0x1dc/0x290
> [daa63d68] [c037fc94] vfs_read+0x164/0x510
> [daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
> [daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
> --- interrupt: c00 at 0x8fa8f4
> LR = 0x8fa8cc
>
> The buggy address belongs to the page:
> page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
> flags: 0x0()
> raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
> raw: 00000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
> d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
> ^
> d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
> d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> After looking into this issue, I find the buggy address belongs
> to the task stack region. It seems KASAN has something wrong.
> I look into the code of __get_wchan in x86 architecture and
> find the same issue has been resolved by the commit
> f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
> The solution could be applied to powerpc architecture too.
>
> As Andrey Ryabinin said, get_wchan() is racy by design, it may
> access volatile stack of running task, thus it may access
> redzone in a stack frame and cause KASAN to warn about this.
>
> Use READ_ONCE_NOCHECK() to silence these warnings.
>
> Reported-by: Wanming Hu <huwanming@huaweil.com>
> Signed-off-by: He Ying <heying24@huawei.com>
> Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> ---
> Changelog:
>
> v2:
> * Add missing Reported-by and SoB tags
> ---
> arch/powerpc/kernel/process.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
> index 984813a4d5dc..a75d20f23dac 100644
> --- a/arch/powerpc/kernel/process.c
> +++ b/arch/powerpc/kernel/process.c
> @@ -2160,12 +2160,12 @@ static unsigned long ___get_wchan(struct task_struct *p)
> return 0;
>
> do {
> - sp = *(unsigned long *)sp;
> + sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
> if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
> task_is_running(p))
> return 0;
> if (count > 0) {
> - ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
> + ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
> if (!in_sched_functions(ip))
> return ip;
> }
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH -v2] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
@ 2022-02-17 8:20 ` He Ying
0 siblings, 0 replies; 10+ messages in thread
From: He Ying @ 2022-02-17 8:20 UTC (permalink / raw)
To: catalin.marinas, mpe, benh, paulus, npiggin, christophe.leroy,
sxwjean, peterz, keescook
Cc: chenjingwen6, linuxppc-dev, linux-kernel, huwanming
Hi Michael,
Kindly ping. This patch may be missed. Would you please pick it? Or does
it need more review?
在 2022/1/21 9:44, He Ying 写道:
> The following KASAN warning was reported in our kernel.
>
> BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
> Read of size 4 at addr d216f958 by task ps/14437
>
> CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
> Call Trace:
> [daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
> [daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
> [daa63908] [c035d6bc] kasan_report+0x1ac/0x218
> [daa63948] [c00496e8] get_wchan+0x188/0x250
> [daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
> [daa63b98] [c0455ac8] proc_single_show+0x98/0x170
> [daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
> [daa63c38] [c03cb47c] seq_read+0x1dc/0x290
> [daa63d68] [c037fc94] vfs_read+0x164/0x510
> [daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
> [daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
> --- interrupt: c00 at 0x8fa8f4
> LR = 0x8fa8cc
>
> The buggy address belongs to the page:
> page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
> flags: 0x0()
> raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
> raw: 00000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
> d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
> ^
> d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
> d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> After looking into this issue, I find the buggy address belongs
> to the task stack region. It seems KASAN has something wrong.
> I look into the code of __get_wchan in x86 architecture and
> find the same issue has been resolved by the commit
> f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
> The solution could be applied to powerpc architecture too.
>
> As Andrey Ryabinin said, get_wchan() is racy by design, it may
> access volatile stack of running task, thus it may access
> redzone in a stack frame and cause KASAN to warn about this.
>
> Use READ_ONCE_NOCHECK() to silence these warnings.
>
> Reported-by: Wanming Hu <huwanming@huaweil.com>
> Signed-off-by: He Ying <heying24@huawei.com>
> Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> ---
> Changelog:
>
> v2:
> * Add missing Reported-by and SoB tags
> ---
> arch/powerpc/kernel/process.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
> index 984813a4d5dc..a75d20f23dac 100644
> --- a/arch/powerpc/kernel/process.c
> +++ b/arch/powerpc/kernel/process.c
> @@ -2160,12 +2160,12 @@ static unsigned long ___get_wchan(struct task_struct *p)
> return 0;
>
> do {
> - sp = *(unsigned long *)sp;
> + sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
> if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
> task_is_running(p))
> return 0;
> if (count > 0) {
> - ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
> + ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
> if (!in_sched_functions(ip))
> return ip;
> }
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH -v2] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
2022-01-21 1:44 ` He Ying
@ 2022-06-09 14:44 ` Michael Ellerman
-1 siblings, 0 replies; 10+ messages in thread
From: Michael Ellerman @ 2022-06-09 14:44 UTC (permalink / raw)
To: catalin.marinas, keescook, mpe, He Ying, npiggin, peterz,
christophe.leroy, benh, paulus, sxwjean
Cc: linuxppc-dev, chenjingwen6, huwanming, linux-kernel
On Thu, 20 Jan 2022 20:44:18 -0500, He Ying wrote:
> The following KASAN warning was reported in our kernel.
>
> BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
> Read of size 4 at addr d216f958 by task ps/14437
>
> CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
> Call Trace:
> [daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
> [daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
> [daa63908] [c035d6bc] kasan_report+0x1ac/0x218
> [daa63948] [c00496e8] get_wchan+0x188/0x250
> [daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
> [daa63b98] [c0455ac8] proc_single_show+0x98/0x170
> [daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
> [daa63c38] [c03cb47c] seq_read+0x1dc/0x290
> [daa63d68] [c037fc94] vfs_read+0x164/0x510
> [daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
> [daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
> --- interrupt: c00 at 0x8fa8f4
> LR = 0x8fa8cc
>
> [...]
Applied to powerpc/fixes.
[1/1] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
https://git.kernel.org/powerpc/c/a1b29ba2f2c171b9bea73be993bfdf0a62d37d15
cheers
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH -v2] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
@ 2022-06-09 14:44 ` Michael Ellerman
0 siblings, 0 replies; 10+ messages in thread
From: Michael Ellerman @ 2022-06-09 14:44 UTC (permalink / raw)
To: catalin.marinas, keescook, mpe, He Ying, npiggin, peterz,
christophe.leroy, benh, paulus, sxwjean
Cc: chenjingwen6, linuxppc-dev, linux-kernel, huwanming
On Thu, 20 Jan 2022 20:44:18 -0500, He Ying wrote:
> The following KASAN warning was reported in our kernel.
>
> BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
> Read of size 4 at addr d216f958 by task ps/14437
>
> CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
> Call Trace:
> [daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
> [daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
> [daa63908] [c035d6bc] kasan_report+0x1ac/0x218
> [daa63948] [c00496e8] get_wchan+0x188/0x250
> [daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
> [daa63b98] [c0455ac8] proc_single_show+0x98/0x170
> [daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
> [daa63c38] [c03cb47c] seq_read+0x1dc/0x290
> [daa63d68] [c037fc94] vfs_read+0x164/0x510
> [daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
> [daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
> --- interrupt: c00 at 0x8fa8f4
> LR = 0x8fa8cc
>
> [...]
Applied to powerpc/fixes.
[1/1] powerpc/process, kasan: Silence KASAN warnings in __get_wchan()
https://git.kernel.org/powerpc/c/a1b29ba2f2c171b9bea73be993bfdf0a62d37d15
cheers
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2022-06-09 14:47 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-19 1:50 [PATCH] powerpc/process, kasan: Silence KASAN warnings in __get_wchan() He Ying
2022-01-19 1:50 ` He Ying
2022-01-19 18:51 ` Kees Cook
2022-01-19 18:51 ` Kees Cook
2022-01-21 1:44 ` [PATCH -v2] " He Ying
2022-01-21 1:44 ` He Ying
2022-02-17 8:20 ` He Ying
2022-02-17 8:20 ` He Ying
2022-06-09 14:44 ` Michael Ellerman
2022-06-09 14:44 ` Michael Ellerman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.