linux-efi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* KASAN on SSDT override
@ 2022-10-13 10:57 Amadeusz Sławiński
  2022-10-13 11:05 ` Ard Biesheuvel
  0 siblings, 1 reply; 2+ messages in thread
From: Amadeusz Sławiński @ 2022-10-13 10:57 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: linux-efi, Cezary Rojewski

Hi Ard,

since v6.0-rc1 we seem to occasionally hit KASAN warning on one of the 
platforms where we override SSDT.

I seem to have narrowed it down to merge commit 
97a77ab14ffac749ec2419c92ec2954111c22d22, I suspect that it is caused by 
3881ee0b1edce0ece72d24b7c74f46b73bd6dcba, but as the issue happens 
sporadically it is bit hard to narrow it down.

Do you have any idea for potential fix?

Following is KASAN warning that we see:

[    6.367849] efi: loading SSDT from variable 
rt298-feec8565-23da-477c-a92d-9e0d5216fd74
[    6.367851] ACPI: Host-directed Dynamic ACPI Table Load:
[    6.367851] ACPI: SSDT 0xFFFF88810457F000 000122 (v01 INTEL  ALC298 
00000000 INTL 20180105)
[    6.584455] 
==================================================================
[    6.584455] BUG: KASAN: use-after-free in acpi_ns_repair_HID+0x125/0x242
[    6.584455] Read of size 1 at addr ffff88810457f0d3 by task 
kworker/0:1/18

[    6.584551] CPU: 0 PID: 18 Comm: kworker/0:1 Not tainted 5.19.0+ #100
[    6.584697] Hardware name: Intel Corporation Kabylake Client 
platform/Kabylake R DDR4 RVP, BIOS KBLSE2R1.R00.X142.P00.1809060233 
09/06/2018
[    6.584857] Workqueue: events acpi_table_events_fn
[    6.585006] Call Trace:
[    6.585023]  <TASK>
[    6.585038]  dump_stack_lvl+0x49/0x63
[    6.585190]  print_report.cold+0x5e/0x5d3
[    6.585338]  ? acpi_ns_repair_HID+0x125/0x242
[    6.585482]  kasan_report+0xaa/0x120
[    6.585513]  ? acpi_ns_repair_HID+0x125/0x242
[    6.585661]  __asan_load1+0x6e/0x80
[    6.585805]  acpi_ns_repair_HID+0x125/0x242
[    6.585951]  acpi_ns_repair_CID+0x62/0x18e
[    6.586099]  acpi_ns_complex_repairs+0xb0/0xec
[    6.586129]  ? acpi_ns_repair_HID+0x242/0x242
[    6.586278]  acpi_ns_check_return_value+0x16f/0x1bf
[    6.586429]  acpi_ns_evaluate+0x69a/0x811
[    6.586455]  acpi_ut_evaluate_object+0xe3/0x301
[    6.586481]  acpi_ut_execute_CID+0xb1/0x344
[    6.586504]  ? acpi_ut_execute_UID+0x1b1/0x1f3
[    6.586527]  ? acpi_ut_execute_UID+0x1f3/0x1f3
[    6.586549]  ? acpi_os_signal_semaphore+0xa6/0xd0
[    6.586574]  ? acpi_ut_release_mutex+0x1cb/0x1e0
[    6.586599]  acpi_get_object_info+0x206/0x5cd
[    6.586626]  ? acpi_ns_copy_device_id+0x6f/0x6f
[    6.586649]  ? up+0x4b/0x70
[    6.586671]  ? acpi_os_signal_semaphore+0xa6/0xd0
[    6.586702]  acpi_init_device_object+0x5b5/0xd00
[    6.586729]  ? acpi_iommu_fwspec_init+0xc0/0xc0
[    6.586752]  ? acpi_get_handle+0x103/0x154
[    6.586774]  ? acpi_get_data+0x16/0x16
[    6.586798]  ? __kasan_kmalloc+0xae/0xe0
[    6.586821]  ? kmem_cache_alloc_trace+0x19c/0x340
[    6.586847]  acpi_add_single_object+0xe6/0xd20
[    6.586871]  ? acpi_scan_check_dep+0xdb/0x380
[    6.586895]  ? get_acpi_device+0x30/0x30
[    6.586917]  ? acpi_init_device_object+0xd00/0xd00
[    6.586940]  ? preempt_count_sub+0x18/0xc0
[    6.586964]  ? _raw_spin_unlock_irqrestore+0x27/0x50
[    6.586987]  ? up+0x4b/0x70
[    6.587008]  ? acpi_os_signal_semaphore+0xa6/0xd0
[    6.587033]  ? acpi_ut_release_mutex+0x1cb/0x1e0
[    6.587060]  acpi_bus_check_add+0x1aa/0x3c0
[    6.587082]  ? __kasan_check_write+0x14/0x20
[    6.587106]  ? acpi_add_single_object+0xd20/0xd20
[    6.587132]  ? wake_up_process+0x15/0x20
[    6.587153]  ? preempt_count_sub+0x18/0xc0
[    6.587176]  ? _raw_spin_unlock_irqrestore+0x27/0x50
[    6.587199]  ? up+0x4b/0x70
[    6.587220]  ? acpi_os_signal_semaphore+0xa6/0xd0
[    6.587247]  acpi_bus_check_add_1+0x16/0x20
[    6.587269]  acpi_ns_walk_namespace+0x183/0x308
[    6.587293]  ? acpi_bus_check_add_2+0x20/0x20
[    6.587316]  ? acpi_bus_check_add_2+0x20/0x20
[    6.587340]  acpi_walk_namespace+0xfa/0x14b
[    6.587366]  acpi_bus_scan+0x13a/0x180
[    6.587390]  ? acpi_bus_check_add_1+0x20/0x20
[    6.587421]  ? __mutex_lock_slowpath+0x20/0x20
[    6.587455]  ? _raw_spin_unlock_bh+0x30/0x30
[    6.587487]  acpi_table_events_fn+0x26/0x50
[    6.587520]  process_one_work+0x452/0x740
[    6.587559]  worker_thread+0x2bb/0x6f0
[    6.587597]  ? process_one_work+0x740/0x740
[    6.587629]  kthread+0x175/0x1b0
[    6.587656]  ? kthread_complete_and_exit+0x30/0x30
[    6.587691]  ret_from_fork+0x1f/0x30
[    6.587700]  </TASK>

[    6.587700] Allocated by task 1:
[    6.587700]  kasan_save_stack+0x26/0x50
[    6.587700]  __kasan_kmalloc+0xae/0xe0
[    6.587700]  __kmalloc+0x1cc/0x3c0
[    6.587700]  efisubsys_init+0x371/0x778
[    6.587700]  do_one_initcall+0x97/0x2d0
[    6.587700]  kernel_init_freeable+0x3ca/0x459
[    6.587700]  kernel_init+0x1f/0x180
[    6.587700]  ret_from_fork+0x1f/0x30

[    6.587700] Freed by task 1:
[    6.587700]  kasan_save_stack+0x26/0x50
[    6.587700]  kasan_set_track+0x25/0x40
[    6.587700]  kasan_set_free_info+0x24/0x40
[    6.587700]  ____kasan_slab_free+0x177/0x1c0
[    6.587700]  __kasan_slab_free+0x12/0x20
[    6.587700]  slab_free_freelist_hook+0x97/0x1b0
[    6.587700]  kfree+0x1a9/0x3d0
[    6.587700]  efisubsys_init+0x3c8/0x778
[    6.587700]  do_one_initcall+0x97/0x2d0
[    6.587700]  kernel_init_freeable+0x3ca/0x459
[    6.587700]  kernel_init+0x1f/0x180
[    6.587700]  ret_from_fork+0x1f/0x30

[    6.587700] The buggy address belongs to the object at ffff88810457f000
                 which belongs to the cache kmalloc-512 of size 512
[    6.587700] The buggy address is located 211 bytes inside of
                 512-byte region [ffff88810457f000, ffff88810457f200)

[    6.587700] The buggy address belongs to the physical page:
[    6.587700] page:0000000009e09455 refcount:1 mapcount:0 
mapping:0000000000000000 index:0x0 pfn:0x10457c
[    6.587700] head:0000000009e09455 order:2 compound_mapcount:0 
compound_pincount:0
[    6.587700] flags: 
0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[    6.587700] raw: 0017ffffc0010200 0000000000000000 dead000000000122 
ffff888100042c80
[    6.587700] raw: 0000000000000000 0000000080100010 00000001ffffffff 
0000000000000000
[    6.587700] page dumped because: kasan: bad access detected

[    6.587700] Memory state around the buggy address:
[    6.587700]  ffff88810457ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc fc fc
[    6.587700]  ffff88810457f000: fa fb fb fb fb fb fb fb fb fb fb fb fb 
fb fb fb
[    6.587700] >ffff88810457f080: fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb fb fb
[    6.587700]                                                  ^
[    6.587700]  ffff88810457f100: fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb fb fb
[    6.587700]  ffff88810457f180: fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb fb fb
[    6.587700] 
==================================================================

Thanks,
Amadeusz

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: KASAN on SSDT override
  2022-10-13 10:57 KASAN on SSDT override Amadeusz Sławiński
@ 2022-10-13 11:05 ` Ard Biesheuvel
  0 siblings, 0 replies; 2+ messages in thread
From: Ard Biesheuvel @ 2022-10-13 11:05 UTC (permalink / raw)
  To: Amadeusz Sławiński; +Cc: linux-efi, Cezary Rojewski

On Thu, 13 Oct 2022 at 12:57, Amadeusz Sławiński
<amadeuszx.slawinski@linux.intel.com> wrote:
>
> Hi Ard,
>
> since v6.0-rc1 we seem to occasionally hit KASAN warning on one of the
> platforms where we override SSDT.
>
> I seem to have narrowed it down to merge commit
> 97a77ab14ffac749ec2419c92ec2954111c22d22, I suspect that it is caused by
> 3881ee0b1edce0ece72d24b7c74f46b73bd6dcba, but as the issue happens
> sporadically it is bit hard to narrow it down.
>
> Do you have any idea for potential fix?
>

Yes, it seems that data should only be kfree()'d if the
acpi_load_table() call returns an error. I missed that when I did the
conversion


> Following is KASAN warning that we see:
>
> [    6.367849] efi: loading SSDT from variable
> rt298-feec8565-23da-477c-a92d-9e0d5216fd74
> [    6.367851] ACPI: Host-directed Dynamic ACPI Table Load:
> [    6.367851] ACPI: SSDT 0xFFFF88810457F000 000122 (v01 INTEL  ALC298
> 00000000 INTL 20180105)
> [    6.584455]
> ==================================================================
> [    6.584455] BUG: KASAN: use-after-free in acpi_ns_repair_HID+0x125/0x242
> [    6.584455] Read of size 1 at addr ffff88810457f0d3 by task
> kworker/0:1/18
>
> [    6.584551] CPU: 0 PID: 18 Comm: kworker/0:1 Not tainted 5.19.0+ #100
> [    6.584697] Hardware name: Intel Corporation Kabylake Client
> platform/Kabylake R DDR4 RVP, BIOS KBLSE2R1.R00.X142.P00.1809060233
> 09/06/2018
> [    6.584857] Workqueue: events acpi_table_events_fn
> [    6.585006] Call Trace:
> [    6.585023]  <TASK>
> [    6.585038]  dump_stack_lvl+0x49/0x63
> [    6.585190]  print_report.cold+0x5e/0x5d3
> [    6.585338]  ? acpi_ns_repair_HID+0x125/0x242
> [    6.585482]  kasan_report+0xaa/0x120
> [    6.585513]  ? acpi_ns_repair_HID+0x125/0x242
> [    6.585661]  __asan_load1+0x6e/0x80
> [    6.585805]  acpi_ns_repair_HID+0x125/0x242
> [    6.585951]  acpi_ns_repair_CID+0x62/0x18e
> [    6.586099]  acpi_ns_complex_repairs+0xb0/0xec
> [    6.586129]  ? acpi_ns_repair_HID+0x242/0x242
> [    6.586278]  acpi_ns_check_return_value+0x16f/0x1bf
> [    6.586429]  acpi_ns_evaluate+0x69a/0x811
> [    6.586455]  acpi_ut_evaluate_object+0xe3/0x301
> [    6.586481]  acpi_ut_execute_CID+0xb1/0x344
> [    6.586504]  ? acpi_ut_execute_UID+0x1b1/0x1f3
> [    6.586527]  ? acpi_ut_execute_UID+0x1f3/0x1f3
> [    6.586549]  ? acpi_os_signal_semaphore+0xa6/0xd0
> [    6.586574]  ? acpi_ut_release_mutex+0x1cb/0x1e0
> [    6.586599]  acpi_get_object_info+0x206/0x5cd
> [    6.586626]  ? acpi_ns_copy_device_id+0x6f/0x6f
> [    6.586649]  ? up+0x4b/0x70
> [    6.586671]  ? acpi_os_signal_semaphore+0xa6/0xd0
> [    6.586702]  acpi_init_device_object+0x5b5/0xd00
> [    6.586729]  ? acpi_iommu_fwspec_init+0xc0/0xc0
> [    6.586752]  ? acpi_get_handle+0x103/0x154
> [    6.586774]  ? acpi_get_data+0x16/0x16
> [    6.586798]  ? __kasan_kmalloc+0xae/0xe0
> [    6.586821]  ? kmem_cache_alloc_trace+0x19c/0x340
> [    6.586847]  acpi_add_single_object+0xe6/0xd20
> [    6.586871]  ? acpi_scan_check_dep+0xdb/0x380
> [    6.586895]  ? get_acpi_device+0x30/0x30
> [    6.586917]  ? acpi_init_device_object+0xd00/0xd00
> [    6.586940]  ? preempt_count_sub+0x18/0xc0
> [    6.586964]  ? _raw_spin_unlock_irqrestore+0x27/0x50
> [    6.586987]  ? up+0x4b/0x70
> [    6.587008]  ? acpi_os_signal_semaphore+0xa6/0xd0
> [    6.587033]  ? acpi_ut_release_mutex+0x1cb/0x1e0
> [    6.587060]  acpi_bus_check_add+0x1aa/0x3c0
> [    6.587082]  ? __kasan_check_write+0x14/0x20
> [    6.587106]  ? acpi_add_single_object+0xd20/0xd20
> [    6.587132]  ? wake_up_process+0x15/0x20
> [    6.587153]  ? preempt_count_sub+0x18/0xc0
> [    6.587176]  ? _raw_spin_unlock_irqrestore+0x27/0x50
> [    6.587199]  ? up+0x4b/0x70
> [    6.587220]  ? acpi_os_signal_semaphore+0xa6/0xd0
> [    6.587247]  acpi_bus_check_add_1+0x16/0x20
> [    6.587269]  acpi_ns_walk_namespace+0x183/0x308
> [    6.587293]  ? acpi_bus_check_add_2+0x20/0x20
> [    6.587316]  ? acpi_bus_check_add_2+0x20/0x20
> [    6.587340]  acpi_walk_namespace+0xfa/0x14b
> [    6.587366]  acpi_bus_scan+0x13a/0x180
> [    6.587390]  ? acpi_bus_check_add_1+0x20/0x20
> [    6.587421]  ? __mutex_lock_slowpath+0x20/0x20
> [    6.587455]  ? _raw_spin_unlock_bh+0x30/0x30
> [    6.587487]  acpi_table_events_fn+0x26/0x50
> [    6.587520]  process_one_work+0x452/0x740
> [    6.587559]  worker_thread+0x2bb/0x6f0
> [    6.587597]  ? process_one_work+0x740/0x740
> [    6.587629]  kthread+0x175/0x1b0
> [    6.587656]  ? kthread_complete_and_exit+0x30/0x30
> [    6.587691]  ret_from_fork+0x1f/0x30
> [    6.587700]  </TASK>
>
> [    6.587700] Allocated by task 1:
> [    6.587700]  kasan_save_stack+0x26/0x50
> [    6.587700]  __kasan_kmalloc+0xae/0xe0
> [    6.587700]  __kmalloc+0x1cc/0x3c0
> [    6.587700]  efisubsys_init+0x371/0x778
> [    6.587700]  do_one_initcall+0x97/0x2d0
> [    6.587700]  kernel_init_freeable+0x3ca/0x459
> [    6.587700]  kernel_init+0x1f/0x180
> [    6.587700]  ret_from_fork+0x1f/0x30
>
> [    6.587700] Freed by task 1:
> [    6.587700]  kasan_save_stack+0x26/0x50
> [    6.587700]  kasan_set_track+0x25/0x40
> [    6.587700]  kasan_set_free_info+0x24/0x40
> [    6.587700]  ____kasan_slab_free+0x177/0x1c0
> [    6.587700]  __kasan_slab_free+0x12/0x20
> [    6.587700]  slab_free_freelist_hook+0x97/0x1b0
> [    6.587700]  kfree+0x1a9/0x3d0
> [    6.587700]  efisubsys_init+0x3c8/0x778
> [    6.587700]  do_one_initcall+0x97/0x2d0
> [    6.587700]  kernel_init_freeable+0x3ca/0x459
> [    6.587700]  kernel_init+0x1f/0x180
> [    6.587700]  ret_from_fork+0x1f/0x30
>
> [    6.587700] The buggy address belongs to the object at ffff88810457f000
>                  which belongs to the cache kmalloc-512 of size 512
> [    6.587700] The buggy address is located 211 bytes inside of
>                  512-byte region [ffff88810457f000, ffff88810457f200)
>
> [    6.587700] The buggy address belongs to the physical page:
> [    6.587700] page:0000000009e09455 refcount:1 mapcount:0
> mapping:0000000000000000 index:0x0 pfn:0x10457c
> [    6.587700] head:0000000009e09455 order:2 compound_mapcount:0
> compound_pincount:0
> [    6.587700] flags:
> 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
> [    6.587700] raw: 0017ffffc0010200 0000000000000000 dead000000000122
> ffff888100042c80
> [    6.587700] raw: 0000000000000000 0000000080100010 00000001ffffffff
> 0000000000000000
> [    6.587700] page dumped because: kasan: bad access detected
>
> [    6.587700] Memory state around the buggy address:
> [    6.587700]  ffff88810457ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc
> [    6.587700]  ffff88810457f000: fa fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb
> [    6.587700] >ffff88810457f080: fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb
> [    6.587700]                                                  ^
> [    6.587700]  ffff88810457f100: fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb
> [    6.587700]  ffff88810457f180: fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb fb
> [    6.587700]
> ==================================================================
>
> Thanks,
> Amadeusz

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-10-13 11:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-13 10:57 KASAN on SSDT override Amadeusz Sławiński
2022-10-13 11:05 ` Ard Biesheuvel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).