linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
* [ arm ] BUG: KASAN: stack-out-of-bounds in save_trace+0xf8/0x14c
@ 2020-11-16 15:06 Naresh Kamboju
  2020-11-18  9:05 ` Ard Biesheuvel
  0 siblings, 1 reply; 2+ messages in thread
From: Naresh Kamboju @ 2020-11-16 15:06 UTC (permalink / raw)
  To: Linux ARM, Linux-Next Mailing List, open list, linux-mm, lkft-triage
  Cc: Linus Walleij, Arnd Bergmann, Andrew Morton, Ard Biesheuvel,
	Masami Hiramatsu, Stephen Rothwell, Steven Rostedt

The following kernel warning noticed on arm KASAN enabled config while
booting on qemu arm on Linux next 20201116 tag.

[   10.811824] BUG: KASAN: stack-out-of-bounds in save_trace+0xf8/0x14c
[   10.814330] Read of size 4 at addr c7aa37bc by task udevadm/192
[   10.816669]
[   10.817310] CPU: 0 PID: 192 Comm: udevadm Not tainted
5.10.0-rc3-next-20201116 #2
[   10.820576] Hardware name: Generic DT based system
[   10.822886] [<c0315abc>] (unwind_backtrace) from [<c030ebf8>]
(show_stack+0x10/0x14)
[   10.827114] [<c030ebf8>] (show_stack) from [<c16c91cc>]
(dump_stack+0xc8/0xe0)
[   10.830696] [<c16c91cc>] (dump_stack) from [<c051b4ec>]
(print_address_description.constprop.0+0x34/0x2dc)
[   10.835673] [<c051b4ec>] (print_address_description.constprop.0)
from [<c051b9e0>] (kasan_report+0x1a8/0x1c4)
[   10.840888] [<c051b9e0>] (kasan_report) from [<c030e624>]
(save_trace+0xf8/0x14c)
[   10.844773] [<c030e624>] (save_trace) from [<c030e50c>]
(walk_stackframe+0x1c/0x3c)
[   10.848513] [<c030e50c>] (walk_stackframe) from [<c030e79c>]
(__save_stack_trace+0x124/0x12c)
[   10.852745] [<c030e79c>] (__save_stack_trace) from [<c040bc9c>]
(stack_trace_save+0x90/0xc0)
[   10.856653] [<c040bc9c>] (stack_trace_save) from [<c051aeb8>]
(kasan_save_stack+0x1c/0x40)
[   10.860463] [<c051aeb8>] (kasan_save_stack) from [<c051afac>]
(kasan_set_track+0x28/0x30)
[   10.864263] [<c051afac>] (kasan_set_track) from [<c051c748>]
(kasan_set_free_info+0x20/0x34)
[   10.868176] [<c051c748>] (kasan_set_free_info) from [<c051ae74>]
(____kasan_slab_free+0xd4/0xfc)
[   10.872253] [<c051ae74>] (____kasan_slab_free) from [<c0519194>]
(kmem_cache_free+0x80/0x4a0)
[   10.876217] [<c0519194>] (kmem_cache_free) from [<c040032c>]
(rcu_core+0x384/0x7f4)
[   10.879852] [<c040032c>] (rcu_core) from [<c03014d8>]
(__do_softirq+0x188/0x3d0)
[   10.883309] [<c03014d8>] (__do_softirq) from [<c0361f88>]
(irq_exit+0x100/0x124)
[   10.886748] [<c0361f88>] (irq_exit) from [<c03e712c>]
(__handle_domain_irq+0x7c/0xdc)
[   10.890378] [<c03e712c>] (__handle_domain_irq) from [<c09a8e04>]
(gic_handle_irq+0xb4/0xe0)
[   10.894268] [<c09a8e04>] (gic_handle_irq) from [<c0300b8c>]
(__irq_svc+0x6c/0x94)
[   10.897739] Exception stack(0xc7aa3698 to 0xc7aa36e0)
[   10.900109] 3680:
    c03000c0 c25e6660
[   10.903902] 36a0: c263bb70BUG: KASAN: stack-out-of-bounds in
save_trace+0xf8/0x14c c263fd88 c7aa37e0 c315c5e0 c312d9a0 c7aa3880
c040bc9c c03000c0
[   10.907859] 36c0: a0030013 c7aa38ec c312d9a0 c7aa36e8 c0315330
c031508c a0030013 ffffffff
[   10.912344] [<c0300b8c>] (__irq_svc) from [<c031508c>]
(search_index+0x8/0xec)
[   10.916050] [<c031508c>] (search_index) from [<c0564990>]
(__d_lookup_rcu+0x58/0x2a8)
[   10.920147] [<c0564990>] (__d_lookup_rcu) from [<c03000c0>]
(ret_fast_syscall+0x0/0x58)
[   10.924242] Exception stack(0xc7aa3780 to 0xc7aa37c8)
[   10.926923] 3780: c25f18a0 c7aa4000 00000000 00000000 00000003
1312d000 5fb25e68 00000000
[   10.931004] 37a0: 00000000 80000000 ffffffff 7fffffff 5fb25e68
00000000 ee7e2590 00000000
[   10.935188] 37c0: 41b58ab3 c247c3ec
[   10.936910]
[   10.937652] The buggy address belongs to the page:
[   10.939933] page:(ptrval) refcount:0 mapcount:0 mapping:00000000
index:0x0 pfn:0x47aa3
[   10.943733] flags: 0x0()
[   10.944995] raw: 00000000 ee60cef0 ee60cef0 00000000 00000000
00000000 ffffffff 00000000
[   10.948786] raw: 00000000
[   10.950037] page dumped because: kasan: bad access detected
[   10.952655]
[   10.953405] addr c7aa37bc is located in stack of task udevadm/192
at offset 156 in frame:
[   10.957194]  unwind_frame+0x0/0x8c0
[   10.958853]
[   10.959616] this frame has 1 object:
[   10.961322]  [32, 116) 'ctrl'
[   10.961329]
[   10.963476] Memory state around the buggy address:
[   10.965699]  c7aa3680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   10.968752]  c7aa3700: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
[   10.971846] >c7aa3780: 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
[   10.974831]                                 ^
[   10.976883]  c7aa3800: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2
[   10.979907]  c7aa3880: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[   10.982919] ==================================================================
[   10.986244] Disabling lock debugging due to kernel taint

Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>

full boot log link,
https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20201116/testrun/3445674/suite/linux-log-parser/test/check-kernel-bug-1944975/log

metadata:
  git branch: master
  git repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next
  git describe: next-20201116
  kernel-config: https://builds.tuxbuild.com/1kMYEMmo35DocMgHZ9AtJReL3rN/config

-- 
Linaro LKFT
https://lkft.linaro.org


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [ arm ] BUG: KASAN: stack-out-of-bounds in save_trace+0xf8/0x14c
  2020-11-16 15:06 [ arm ] BUG: KASAN: stack-out-of-bounds in save_trace+0xf8/0x14c Naresh Kamboju
@ 2020-11-18  9:05 ` Ard Biesheuvel
  0 siblings, 0 replies; 2+ messages in thread
From: Ard Biesheuvel @ 2020-11-18  9:05 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: Linux ARM, Linux-Next Mailing List, open list, linux-mm,
	lkft-triage, Linus Walleij, Arnd Bergmann, Andrew Morton,
	Masami Hiramatsu, Stephen Rothwell, Steven Rostedt

On Mon, 16 Nov 2020 at 16:06, Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>
> The following kernel warning noticed on arm KASAN enabled config while
> booting on qemu arm on Linux next 20201116 tag.
>
> [   10.811824] BUG: KASAN: stack-out-of-bounds in save_trace+0xf8/0x14c

This looks like the same false positive we have seen before - the code
that captures the call stack when allocating or freeing memory may
inadvertently do an out of bound access, but this is kind of ok for
diagnostic code so my suggestion was to just disable the
instrumentation here (like other architectures do as well):

https://www.armlinux.org.uk/developer/patches/viewpatch.php?id=9028/1


> [   10.814330] Read of size 4 at addr c7aa37bc by task udevadm/192
> [   10.816669]
> [   10.817310] CPU: 0 PID: 192 Comm: udevadm Not tainted
> 5.10.0-rc3-next-20201116 #2
> [   10.820576] Hardware name: Generic DT based system
> [   10.822886] [<c0315abc>] (unwind_backtrace) from [<c030ebf8>]
> (show_stack+0x10/0x14)
> [   10.827114] [<c030ebf8>] (show_stack) from [<c16c91cc>]
> (dump_stack+0xc8/0xe0)
> [   10.830696] [<c16c91cc>] (dump_stack) from [<c051b4ec>]
> (print_address_description.constprop.0+0x34/0x2dc)
> [   10.835673] [<c051b4ec>] (print_address_description.constprop.0)
> from [<c051b9e0>] (kasan_report+0x1a8/0x1c4)
> [   10.840888] [<c051b9e0>] (kasan_report) from [<c030e624>]
> (save_trace+0xf8/0x14c)
> [   10.844773] [<c030e624>] (save_trace) from [<c030e50c>]
> (walk_stackframe+0x1c/0x3c)
> [   10.848513] [<c030e50c>] (walk_stackframe) from [<c030e79c>]
> (__save_stack_trace+0x124/0x12c)
> [   10.852745] [<c030e79c>] (__save_stack_trace) from [<c040bc9c>]
> (stack_trace_save+0x90/0xc0)
> [   10.856653] [<c040bc9c>] (stack_trace_save) from [<c051aeb8>]
> (kasan_save_stack+0x1c/0x40)
> [   10.860463] [<c051aeb8>] (kasan_save_stack) from [<c051afac>]
> (kasan_set_track+0x28/0x30)
> [   10.864263] [<c051afac>] (kasan_set_track) from [<c051c748>]
> (kasan_set_free_info+0x20/0x34)
> [   10.868176] [<c051c748>] (kasan_set_free_info) from [<c051ae74>]
> (____kasan_slab_free+0xd4/0xfc)
> [   10.872253] [<c051ae74>] (____kasan_slab_free) from [<c0519194>]
> (kmem_cache_free+0x80/0x4a0)
> [   10.876217] [<c0519194>] (kmem_cache_free) from [<c040032c>]
> (rcu_core+0x384/0x7f4)
> [   10.879852] [<c040032c>] (rcu_core) from [<c03014d8>]
> (__do_softirq+0x188/0x3d0)
> [   10.883309] [<c03014d8>] (__do_softirq) from [<c0361f88>]
> (irq_exit+0x100/0x124)
> [   10.886748] [<c0361f88>] (irq_exit) from [<c03e712c>]
> (__handle_domain_irq+0x7c/0xdc)
> [   10.890378] [<c03e712c>] (__handle_domain_irq) from [<c09a8e04>]
> (gic_handle_irq+0xb4/0xe0)
> [   10.894268] [<c09a8e04>] (gic_handle_irq) from [<c0300b8c>]
> (__irq_svc+0x6c/0x94)
> [   10.897739] Exception stack(0xc7aa3698 to 0xc7aa36e0)
> [   10.900109] 3680:
>     c03000c0 c25e6660
> [   10.903902] 36a0: c263bb70BUG: KASAN: stack-out-of-bounds in
> save_trace+0xf8/0x14c c263fd88 c7aa37e0 c315c5e0 c312d9a0 c7aa3880
> c040bc9c c03000c0
> [   10.907859] 36c0: a0030013 c7aa38ec c312d9a0 c7aa36e8 c0315330
> c031508c a0030013 ffffffff
> [   10.912344] [<c0300b8c>] (__irq_svc) from [<c031508c>]
> (search_index+0x8/0xec)
> [   10.916050] [<c031508c>] (search_index) from [<c0564990>]
> (__d_lookup_rcu+0x58/0x2a8)
> [   10.920147] [<c0564990>] (__d_lookup_rcu) from [<c03000c0>]
> (ret_fast_syscall+0x0/0x58)
> [   10.924242] Exception stack(0xc7aa3780 to 0xc7aa37c8)
> [   10.926923] 3780: c25f18a0 c7aa4000 00000000 00000000 00000003
> 1312d000 5fb25e68 00000000
> [   10.931004] 37a0: 00000000 80000000 ffffffff 7fffffff 5fb25e68
> 00000000 ee7e2590 00000000
> [   10.935188] 37c0: 41b58ab3 c247c3ec
> [   10.936910]
> [   10.937652] The buggy address belongs to the page:
> [   10.939933] page:(ptrval) refcount:0 mapcount:0 mapping:00000000
> index:0x0 pfn:0x47aa3
> [   10.943733] flags: 0x0()
> [   10.944995] raw: 00000000 ee60cef0 ee60cef0 00000000 00000000
> 00000000 ffffffff 00000000
> [   10.948786] raw: 00000000
> [   10.950037] page dumped because: kasan: bad access detected
> [   10.952655]
> [   10.953405] addr c7aa37bc is located in stack of task udevadm/192
> at offset 156 in frame:
> [   10.957194]  unwind_frame+0x0/0x8c0
> [   10.958853]
> [   10.959616] this frame has 1 object:
> [   10.961322]  [32, 116) 'ctrl'
> [   10.961329]
> [   10.963476] Memory state around the buggy address:
> [   10.965699]  c7aa3680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [   10.968752]  c7aa3700: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
> [   10.971846] >c7aa3780: 00 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
> [   10.974831]                                 ^
> [   10.976883]  c7aa3800: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2
> [   10.979907]  c7aa3880: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
> [   10.982919] ==================================================================
> [   10.986244] Disabling lock debugging due to kernel taint
>
> Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>
> full boot log link,
> https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20201116/testrun/3445674/suite/linux-log-parser/test/check-kernel-bug-1944975/log
>
> metadata:
>   git branch: master
>   git repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next
>   git describe: next-20201116
>   kernel-config: https://builds.tuxbuild.com/1kMYEMmo35DocMgHZ9AtJReL3rN/config
>
> --
> Linaro LKFT
> https://lkft.linaro.org


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-11-18  9:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-16 15:06 [ arm ] BUG: KASAN: stack-out-of-bounds in save_trace+0xf8/0x14c Naresh Kamboju
2020-11-18  9:05 ` Ard Biesheuvel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).