LinuxPPC-Dev Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v3 0/3] KASAN for powerpc/32
@ 2019-01-12 11:16 Christophe Leroy
  2019-01-12 11:16 ` [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32 Christophe Leroy
                   ` (2 more replies)
  0 siblings, 3 replies; 19+ messages in thread
From: Christophe Leroy @ 2019-01-12 11:16 UTC (permalink / raw)
  To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
	Nicholas Piggin, Aneesh Kumar K.V, Andrey Ryabinin,
	Alexander Potapenko, Dmitry Vyukov
  Cc: linux-mm, linuxppc-dev, linux-kernel, kasan-dev

This serie adds KASAN support to powerpc/32

Tested on nohash/32 (8xx) and book3s/32 (mpc832x ie 603)

Changes in v3:
- Removed the printk() in kasan_early_init() to avoid build failure (see https://github.com/linuxppc/issues/issues/218)
- Added necessary changes in asm/book3s/32/pgtable.h to get it work on powerpc 603 family
- Added a few KASAN_SANITIZE_xxx.o := n to successfully boot on powerpc 603 family

Changes in v2:
- Rebased.
- Using __set_pte_at() to build the early table.
- Worked around and got rid of the patch adding asm/page.h in asm/pgtable-types.h
    ==> might be fixed independently but not needed for this serie.

For book3s/32 (not 603), it cannot work as is because due to HASHPTE flag, we
can't use the same pagetable for several PGD entries.

Christophe Leroy (3):
  powerpc/mm: prepare kernel for KAsan on PPC32
  powerpc/32: Move early_init() in a separate file
  powerpc/32: Add KASAN support

 arch/powerpc/Kconfig                         |  1 +
 arch/powerpc/include/asm/book3s/32/pgtable.h |  2 +
 arch/powerpc/include/asm/kasan.h             | 24 ++++++++++
 arch/powerpc/include/asm/nohash/32/pgtable.h |  2 +
 arch/powerpc/include/asm/ppc_asm.h           |  5 ++
 arch/powerpc/include/asm/setup.h             |  5 ++
 arch/powerpc/include/asm/string.h            | 14 ++++++
 arch/powerpc/kernel/Makefile                 |  6 ++-
 arch/powerpc/kernel/cputable.c               |  4 +-
 arch/powerpc/kernel/early_32.c               | 36 ++++++++++++++
 arch/powerpc/kernel/prom_init_check.sh       |  1 +
 arch/powerpc/kernel/setup-common.c           |  2 +
 arch/powerpc/kernel/setup_32.c               | 31 ++----------
 arch/powerpc/lib/Makefile                    |  3 ++
 arch/powerpc/lib/copy_32.S                   |  9 ++--
 arch/powerpc/mm/Makefile                     |  3 ++
 arch/powerpc/mm/dump_linuxpagetables.c       |  8 ++++
 arch/powerpc/mm/kasan_init.c                 | 72 ++++++++++++++++++++++++++++
 arch/powerpc/mm/mem.c                        |  4 ++
 19 files changed, 198 insertions(+), 34 deletions(-)
 create mode 100644 arch/powerpc/include/asm/kasan.h
 create mode 100644 arch/powerpc/kernel/early_32.c
 create mode 100644 arch/powerpc/mm/kasan_init.c

-- 
2.13.3


^ permalink raw reply	[flat|nested] 19+ messages in thread

* [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32
  2019-01-12 11:16 [PATCH v3 0/3] KASAN for powerpc/32 Christophe Leroy
@ 2019-01-12 11:16 ` Christophe Leroy
  2019-01-14  9:34   ` Dmitry Vyukov
  2019-01-12 11:16 ` [PATCH v3 2/3] powerpc/32: Move early_init() in a separate file Christophe Leroy
  2019-01-12 11:16 ` [PATCH v3 3/3] powerpc/32: Add KASAN support Christophe Leroy
  2 siblings, 1 reply; 19+ messages in thread
From: Christophe Leroy @ 2019-01-12 11:16 UTC (permalink / raw)
  To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
	Nicholas Piggin, Aneesh Kumar K.V, Andrey Ryabinin,
	Alexander Potapenko, Dmitry Vyukov
  Cc: linux-mm, linuxppc-dev, linux-kernel, kasan-dev

In kernel/cputable.c, explicitly use memcpy() in order
to allow GCC to replace it with __memcpy() when KASAN is
selected.

Since commit 400c47d81ca38 ("powerpc32: memset: only use dcbz once cache is
enabled"), memset() can be used before activation of the cache,
so no need to use memset_io() for zeroing the BSS.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
 arch/powerpc/kernel/cputable.c | 4 ++--
 arch/powerpc/kernel/setup_32.c | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/arch/powerpc/kernel/cputable.c b/arch/powerpc/kernel/cputable.c
index 1eab54bc6ee9..84814c8d1bcb 100644
--- a/arch/powerpc/kernel/cputable.c
+++ b/arch/powerpc/kernel/cputable.c
@@ -2147,7 +2147,7 @@ void __init set_cur_cpu_spec(struct cpu_spec *s)
 	struct cpu_spec *t = &the_cpu_spec;
 
 	t = PTRRELOC(t);
-	*t = *s;
+	memcpy(t, s, sizeof(*t));
 
 	*PTRRELOC(&cur_cpu_spec) = &the_cpu_spec;
 }
@@ -2162,7 +2162,7 @@ static struct cpu_spec * __init setup_cpu_spec(unsigned long offset,
 	old = *t;
 
 	/* Copy everything, then do fixups */
-	*t = *s;
+	memcpy(t, s, sizeof(*t));
 
 	/*
 	 * If we are overriding a previous value derived from the real
diff --git a/arch/powerpc/kernel/setup_32.c b/arch/powerpc/kernel/setup_32.c
index 947f904688b0..5e761eb16a6d 100644
--- a/arch/powerpc/kernel/setup_32.c
+++ b/arch/powerpc/kernel/setup_32.c
@@ -73,10 +73,8 @@ notrace unsigned long __init early_init(unsigned long dt_ptr)
 {
 	unsigned long offset = reloc_offset();
 
-	/* First zero the BSS -- use memset_io, some platforms don't have
-	 * caches on yet */
-	memset_io((void __iomem *)PTRRELOC(&__bss_start), 0,
-			__bss_stop - __bss_start);
+	/* First zero the BSS */
+	memset(PTRRELOC(&__bss_start), 0, __bss_stop - __bss_start);
 
 	/*
 	 * Identify the CPU type and fix up code sections
-- 
2.13.3


^ permalink raw reply	[flat|nested] 19+ messages in thread

* [PATCH v3 2/3] powerpc/32: Move early_init() in a separate file
  2019-01-12 11:16 [PATCH v3 0/3] KASAN for powerpc/32 Christophe Leroy
  2019-01-12 11:16 ` [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32 Christophe Leroy
@ 2019-01-12 11:16 ` Christophe Leroy
  2019-01-12 11:16 ` [PATCH v3 3/3] powerpc/32: Add KASAN support Christophe Leroy
  2 siblings, 0 replies; 19+ messages in thread
From: Christophe Leroy @ 2019-01-12 11:16 UTC (permalink / raw)
  To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
	Nicholas Piggin, Aneesh Kumar K.V, Andrey Ryabinin,
	Alexander Potapenko, Dmitry Vyukov
  Cc: linux-mm, linuxppc-dev, linux-kernel, kasan-dev

In preparation of KASAN, move early_init() into a separate
file in order to allow deactivation of KASAN for that function.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
 arch/powerpc/kernel/Makefile   |  2 +-
 arch/powerpc/kernel/early_32.c | 35 +++++++++++++++++++++++++++++++++++
 arch/powerpc/kernel/setup_32.c | 26 --------------------------
 3 files changed, 36 insertions(+), 27 deletions(-)
 create mode 100644 arch/powerpc/kernel/early_32.c

diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
index cb7f0bb9ee71..879b36602748 100644
--- a/arch/powerpc/kernel/Makefile
+++ b/arch/powerpc/kernel/Makefile
@@ -93,7 +93,7 @@ extra-y				+= vmlinux.lds
 
 obj-$(CONFIG_RELOCATABLE)	+= reloc_$(BITS).o
 
-obj-$(CONFIG_PPC32)		+= entry_32.o setup_32.o
+obj-$(CONFIG_PPC32)		+= entry_32.o setup_32.o early_32.o
 obj-$(CONFIG_PPC64)		+= dma-iommu.o iommu.o
 obj-$(CONFIG_KGDB)		+= kgdb.o
 obj-$(CONFIG_BOOTX_TEXT)	+= btext.o
diff --git a/arch/powerpc/kernel/early_32.c b/arch/powerpc/kernel/early_32.c
new file mode 100644
index 000000000000..b3e40d6d651c
--- /dev/null
+++ b/arch/powerpc/kernel/early_32.c
@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Early init before relocation
+ */
+
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <asm/setup.h>
+#include <asm/sections.h>
+
+/*
+ * We're called here very early in the boot.
+ *
+ * Note that the kernel may be running at an address which is different
+ * from the address that it was linked at, so we must use RELOC/PTRRELOC
+ * to access static data (including strings).  -- paulus
+ */
+notrace unsigned long __init early_init(unsigned long dt_ptr)
+{
+	unsigned long offset = reloc_offset();
+
+	/* First zero the BSS */
+	memset(PTRRELOC(&__bss_start), 0, __bss_stop - __bss_start);
+
+	/*
+	 * Identify the CPU type and fix up code sections
+	 * that depend on which cpu we have.
+	 */
+	identify_cpu(offset, mfspr(SPRN_PVR));
+
+	apply_feature_fixups();
+
+	return KERNELBASE + offset;
+}
diff --git a/arch/powerpc/kernel/setup_32.c b/arch/powerpc/kernel/setup_32.c
index 5e761eb16a6d..b46a9a33225b 100644
--- a/arch/powerpc/kernel/setup_32.c
+++ b/arch/powerpc/kernel/setup_32.c
@@ -63,32 +63,6 @@ EXPORT_SYMBOL(DMA_MODE_READ);
 EXPORT_SYMBOL(DMA_MODE_WRITE);
 
 /*
- * We're called here very early in the boot.
- *
- * Note that the kernel may be running at an address which is different
- * from the address that it was linked at, so we must use RELOC/PTRRELOC
- * to access static data (including strings).  -- paulus
- */
-notrace unsigned long __init early_init(unsigned long dt_ptr)
-{
-	unsigned long offset = reloc_offset();
-
-	/* First zero the BSS */
-	memset(PTRRELOC(&__bss_start), 0, __bss_stop - __bss_start);
-
-	/*
-	 * Identify the CPU type and fix up code sections
-	 * that depend on which cpu we have.
-	 */
-	identify_cpu(offset, mfspr(SPRN_PVR));
-
-	apply_feature_fixups();
-
-	return KERNELBASE + offset;
-}
-
-
-/*
  * This is run before start_kernel(), the kernel has been relocated
  * and we are running with enough of the MMU enabled to have our
  * proper kernel virtual addresses
-- 
2.13.3


^ permalink raw reply	[flat|nested] 19+ messages in thread

* [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-12 11:16 [PATCH v3 0/3] KASAN for powerpc/32 Christophe Leroy
  2019-01-12 11:16 ` [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32 Christophe Leroy
  2019-01-12 11:16 ` [PATCH v3 2/3] powerpc/32: Move early_init() in a separate file Christophe Leroy
@ 2019-01-12 11:16 ` Christophe Leroy
  2019-01-15 17:23   ` Andrey Ryabinin
  2 siblings, 1 reply; 19+ messages in thread
From: Christophe Leroy @ 2019-01-12 11:16 UTC (permalink / raw)
  To: Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
	Nicholas Piggin, Aneesh Kumar K.V, Andrey Ryabinin,
	Alexander Potapenko, Dmitry Vyukov
  Cc: linux-mm, linuxppc-dev, linux-kernel, kasan-dev

This patch adds KASAN support for PPC32.

Note that on book3s it will only work on the 603 because the other
ones use hash table and can therefore not share a single PTE table
covering the entire early KASAN shadow area.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
 arch/powerpc/Kconfig                         |  1 +
 arch/powerpc/include/asm/book3s/32/pgtable.h |  2 +
 arch/powerpc/include/asm/kasan.h             | 24 ++++++++++
 arch/powerpc/include/asm/nohash/32/pgtable.h |  2 +
 arch/powerpc/include/asm/ppc_asm.h           |  5 ++
 arch/powerpc/include/asm/setup.h             |  5 ++
 arch/powerpc/include/asm/string.h            | 14 ++++++
 arch/powerpc/kernel/Makefile                 |  4 ++
 arch/powerpc/kernel/early_32.c               |  1 +
 arch/powerpc/kernel/prom_init_check.sh       |  1 +
 arch/powerpc/kernel/setup-common.c           |  2 +
 arch/powerpc/kernel/setup_32.c               |  3 ++
 arch/powerpc/lib/Makefile                    |  3 ++
 arch/powerpc/lib/copy_32.S                   |  9 ++--
 arch/powerpc/mm/Makefile                     |  3 ++
 arch/powerpc/mm/dump_linuxpagetables.c       |  8 ++++
 arch/powerpc/mm/kasan_init.c                 | 72 ++++++++++++++++++++++++++++
 arch/powerpc/mm/mem.c                        |  4 ++
 18 files changed, 160 insertions(+), 3 deletions(-)
 create mode 100644 arch/powerpc/include/asm/kasan.h
 create mode 100644 arch/powerpc/mm/kasan_init.c

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 2890d36eb531..11dcaa80d3ff 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -175,6 +175,7 @@ config PPC
 	select GENERIC_TIME_VSYSCALL
 	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
+	select HAVE_ARCH_KASAN			if PPC32
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_MMAP_RND_BITS
 	select HAVE_ARCH_MMAP_RND_COMPAT_BITS	if COMPAT
diff --git a/arch/powerpc/include/asm/book3s/32/pgtable.h b/arch/powerpc/include/asm/book3s/32/pgtable.h
index 49d76adb9bc5..4543016f80ca 100644
--- a/arch/powerpc/include/asm/book3s/32/pgtable.h
+++ b/arch/powerpc/include/asm/book3s/32/pgtable.h
@@ -141,6 +141,8 @@ static inline bool pte_user(pte_t pte)
  */
 #ifdef CONFIG_HIGHMEM
 #define KVIRT_TOP	PKMAP_BASE
+#elif defined(CONFIG_KASAN)
+#define KVIRT_TOP	KASAN_SHADOW_START
 #else
 #define KVIRT_TOP	(0xfe000000UL)	/* for now, could be FIXMAP_BASE ? */
 #endif
diff --git a/arch/powerpc/include/asm/kasan.h b/arch/powerpc/include/asm/kasan.h
new file mode 100644
index 000000000000..5d0088429b62
--- /dev/null
+++ b/arch/powerpc/include/asm/kasan.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __ASM_KASAN_H
+#define __ASM_KASAN_H
+
+#ifndef __ASSEMBLY__
+
+#include <asm/page.h>
+#include <asm/pgtable-types.h>
+#include <asm/fixmap.h>
+
+#define KASAN_SHADOW_SCALE_SHIFT	3
+#define KASAN_SHADOW_SIZE	((~0UL - PAGE_OFFSET + 1) >> KASAN_SHADOW_SCALE_SHIFT)
+
+#define KASAN_SHADOW_START	(ALIGN_DOWN(FIXADDR_START - KASAN_SHADOW_SIZE, \
+					    PGDIR_SIZE))
+#define KASAN_SHADOW_END	(KASAN_SHADOW_START + KASAN_SHADOW_SIZE)
+#define KASAN_SHADOW_OFFSET	(KASAN_SHADOW_START - \
+				 (PAGE_OFFSET >> KASAN_SHADOW_SCALE_SHIFT))
+
+void kasan_early_init(void);
+void kasan_init(void);
+
+#endif
+#endif
diff --git a/arch/powerpc/include/asm/nohash/32/pgtable.h b/arch/powerpc/include/asm/nohash/32/pgtable.h
index bed433358260..b3b52f02be1a 100644
--- a/arch/powerpc/include/asm/nohash/32/pgtable.h
+++ b/arch/powerpc/include/asm/nohash/32/pgtable.h
@@ -71,6 +71,8 @@ extern int icache_44x_need_flush;
  */
 #ifdef CONFIG_HIGHMEM
 #define KVIRT_TOP	PKMAP_BASE
+#elif defined(CONFIG_KASAN)
+#define KVIRT_TOP	KASAN_SHADOW_START
 #else
 #define KVIRT_TOP	(0xfe000000UL)	/* for now, could be FIXMAP_BASE ? */
 #endif
diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h
index e0637730a8e7..8d5291c721fa 100644
--- a/arch/powerpc/include/asm/ppc_asm.h
+++ b/arch/powerpc/include/asm/ppc_asm.h
@@ -251,6 +251,11 @@ GLUE(.,name):
 
 #define _GLOBAL_TOC(name) _GLOBAL(name)
 
+#define KASAN_OVERRIDE(x, y) \
+	.weak x;	     \
+	.set x, y
+
+
 #endif
 
 /*
diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h
index 65676e2325b8..da7768aa996a 100644
--- a/arch/powerpc/include/asm/setup.h
+++ b/arch/powerpc/include/asm/setup.h
@@ -74,6 +74,11 @@ static inline void setup_spectre_v2(void) {};
 #endif
 void do_btb_flush_fixups(void);
 
+#ifndef CONFIG_KASAN
+static inline void kasan_early_init(void) { }
+static inline void kasan_init(void) { }
+#endif
+
 #endif /* !__ASSEMBLY__ */
 
 #endif	/* _ASM_POWERPC_SETUP_H */
diff --git a/arch/powerpc/include/asm/string.h b/arch/powerpc/include/asm/string.h
index 1647de15a31e..64d44d4836b4 100644
--- a/arch/powerpc/include/asm/string.h
+++ b/arch/powerpc/include/asm/string.h
@@ -27,6 +27,20 @@ extern int memcmp(const void *,const void *,__kernel_size_t);
 extern void * memchr(const void *,int,__kernel_size_t);
 extern void * memcpy_flushcache(void *,const void *,__kernel_size_t);
 
+void *__memset(void *s, int c, __kernel_size_t count);
+void *__memcpy(void *to, const void *from, __kernel_size_t n);
+void *__memmove(void *to, const void *from, __kernel_size_t n);
+
+#if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
+/*
+ * For files that are not instrumented (e.g. mm/slub.c) we
+ * should use not instrumented version of mem* functions.
+ */
+#define memcpy(dst, src, len) __memcpy(dst, src, len)
+#define memmove(dst, src, len) __memmove(dst, src, len)
+#define memset(s, c, n) __memset(s, c, n)
+#endif
+
 #ifdef CONFIG_PPC64
 #define __HAVE_ARCH_MEMSET32
 #define __HAVE_ARCH_MEMSET64
diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
index 879b36602748..7556000e1d0f 100644
--- a/arch/powerpc/kernel/Makefile
+++ b/arch/powerpc/kernel/Makefile
@@ -31,6 +31,10 @@ CFLAGS_REMOVE_btext.o = $(CC_FLAGS_FTRACE)
 CFLAGS_REMOVE_prom.o = $(CC_FLAGS_FTRACE)
 endif
 
+KASAN_SANITIZE_early_32.o := n
+KASAN_SANITIZE_cputable.o := n
+KASAN_SANITIZE_prom_init.o := n
+
 obj-y				:= cputable.o ptrace.o syscalls.o \
 				   irq.o align.o signal_32.o pmc.o vdso.o \
 				   process.o systbl.o idle.o \
diff --git a/arch/powerpc/kernel/early_32.c b/arch/powerpc/kernel/early_32.c
index b3e40d6d651c..3482118ffe76 100644
--- a/arch/powerpc/kernel/early_32.c
+++ b/arch/powerpc/kernel/early_32.c
@@ -8,6 +8,7 @@
 #include <linux/kernel.h>
 #include <asm/setup.h>
 #include <asm/sections.h>
+#include <asm/asm-prototypes.h>
 
 /*
  * We're called here very early in the boot.
diff --git a/arch/powerpc/kernel/prom_init_check.sh b/arch/powerpc/kernel/prom_init_check.sh
index 667df97d2595..9282730661ed 100644
--- a/arch/powerpc/kernel/prom_init_check.sh
+++ b/arch/powerpc/kernel/prom_init_check.sh
@@ -18,6 +18,7 @@
 
 WHITELIST="add_reloc_offset __bss_start __bss_stop copy_and_flush
 _end enter_prom memcpy memset reloc_offset __secondary_hold
+__memcpy __memset
 __secondary_hold_acknowledge __secondary_hold_spinloop __start
 strcmp strcpy strlcpy strlen strncmp strstr kstrtobool logo_linux_clut224
 reloc_got2 kernstart_addr memstart_addr linux_banner _stext
diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
index ca00fbb97cf8..16ff1ea66805 100644
--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -978,6 +978,8 @@ void __init setup_arch(char **cmdline_p)
 
 	paging_init();
 
+	kasan_init();
+
 	/* Initialize the MMU context management stuff. */
 	mmu_context_init();
 
diff --git a/arch/powerpc/kernel/setup_32.c b/arch/powerpc/kernel/setup_32.c
index b46a9a33225b..fe6990dec6fc 100644
--- a/arch/powerpc/kernel/setup_32.c
+++ b/arch/powerpc/kernel/setup_32.c
@@ -17,6 +17,7 @@
 #include <linux/console.h>
 #include <linux/memblock.h>
 #include <linux/export.h>
+#include <linux/kasan.h>
 
 #include <asm/io.h>
 #include <asm/prom.h>
@@ -75,6 +76,8 @@ notrace void __init machine_init(u64 dt_ptr)
 	unsigned int *addr = (unsigned int *)patch_site_addr(&patch__memset_nocache);
 	unsigned long insn;
 
+	kasan_early_init();
+
 	/* Configure static keys first, now that we're relocated. */
 	setup_feature_keys();
 
diff --git a/arch/powerpc/lib/Makefile b/arch/powerpc/lib/Makefile
index 3bf9fc6fd36c..31ca9d4ac92e 100644
--- a/arch/powerpc/lib/Makefile
+++ b/arch/powerpc/lib/Makefile
@@ -8,6 +8,9 @@ ccflags-$(CONFIG_PPC64)	:= $(NO_MINIMAL_TOC)
 CFLAGS_REMOVE_code-patching.o = $(CC_FLAGS_FTRACE)
 CFLAGS_REMOVE_feature-fixups.o = $(CC_FLAGS_FTRACE)
 
+KASAN_SANITIZE_code-patching.o := n
+KASAN_SANITIZE_feature-fixups.o := n
+
 obj-y += string.o alloc.o code-patching.o feature-fixups.o
 
 obj-$(CONFIG_PPC32)	+= div64.o copy_32.o crtsavres.o strlen_32.o
diff --git a/arch/powerpc/lib/copy_32.S b/arch/powerpc/lib/copy_32.S
index ba66846fe973..4d8a1c73b4cf 100644
--- a/arch/powerpc/lib/copy_32.S
+++ b/arch/powerpc/lib/copy_32.S
@@ -91,7 +91,8 @@ EXPORT_SYMBOL(memset16)
  * We therefore skip the optimised bloc that uses dcbz. This jump is
  * replaced by a nop once cache is active. This is done in machine_init()
  */
-_GLOBAL(memset)
+_GLOBAL(__memset)
+KASAN_OVERRIDE(memset, __memset)
 	cmplwi	0,r5,4
 	blt	7f
 
@@ -163,12 +164,14 @@ EXPORT_SYMBOL(memset)
  * We therefore jump to generic_memcpy which doesn't use dcbz. This jump is
  * replaced by a nop once cache is active. This is done in machine_init()
  */
-_GLOBAL(memmove)
+_GLOBAL(__memmove)
+KASAN_OVERRIDE(memmove, __memmove)
 	cmplw	0,r3,r4
 	bgt	backwards_memcpy
 	/* fall through */
 
-_GLOBAL(memcpy)
+_GLOBAL(__memcpy)
+KASAN_OVERRIDE(memcpy, __memcpy)
 1:	b	generic_memcpy
 	patch_site	1b, patch__memcpy_nocache
 
diff --git a/arch/powerpc/mm/Makefile b/arch/powerpc/mm/Makefile
index f965fc33a8b7..d6b76f25f6de 100644
--- a/arch/powerpc/mm/Makefile
+++ b/arch/powerpc/mm/Makefile
@@ -7,6 +7,8 @@ ccflags-$(CONFIG_PPC64)	:= $(NO_MINIMAL_TOC)
 
 CFLAGS_REMOVE_slb.o = $(CC_FLAGS_FTRACE)
 
+KASAN_SANITIZE_kasan_init.o := n
+
 obj-y				:= fault.o mem.o pgtable.o mmap.o \
 				   init_$(BITS).o pgtable_$(BITS).o \
 				   init-common.o mmu_context.o drmem.o
@@ -55,3 +57,4 @@ obj-$(CONFIG_PPC_BOOK3S_64)	+= dump_linuxpagetables-book3s64.o
 endif
 obj-$(CONFIG_PPC_HTDUMP)	+= dump_hashpagetable.o
 obj-$(CONFIG_PPC_MEM_KEYS)	+= pkeys.o
+obj-$(CONFIG_KASAN)		+= kasan_init.o
diff --git a/arch/powerpc/mm/dump_linuxpagetables.c b/arch/powerpc/mm/dump_linuxpagetables.c
index 6aa41669ac1a..c862b48118f1 100644
--- a/arch/powerpc/mm/dump_linuxpagetables.c
+++ b/arch/powerpc/mm/dump_linuxpagetables.c
@@ -94,6 +94,10 @@ static struct addr_marker address_markers[] = {
 	{ 0,	"Consistent mem start" },
 	{ 0,	"Consistent mem end" },
 #endif
+#ifdef CONFIG_KASAN
+	{ 0,	"kasan shadow mem start" },
+	{ 0,	"kasan shadow mem end" },
+#endif
 #ifdef CONFIG_HIGHMEM
 	{ 0,	"Highmem PTEs start" },
 	{ 0,	"Highmem PTEs end" },
@@ -310,6 +314,10 @@ static void populate_markers(void)
 	address_markers[i++].start_address = IOREMAP_TOP +
 					     CONFIG_CONSISTENT_SIZE;
 #endif
+#ifdef CONFIG_KASAN
+	address_markers[i++].start_address = KASAN_SHADOW_START;
+	address_markers[i++].start_address = KASAN_SHADOW_END;
+#endif
 #ifdef CONFIG_HIGHMEM
 	address_markers[i++].start_address = PKMAP_BASE;
 	address_markers[i++].start_address = PKMAP_ADDR(LAST_PKMAP);
diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
new file mode 100644
index 000000000000..3edc9c2d2f3e
--- /dev/null
+++ b/arch/powerpc/mm/kasan_init.c
@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/kasan.h>
+#include <linux/printk.h>
+#include <linux/memblock.h>
+#include <asm/pgalloc.h>
+
+void __init kasan_early_init(void)
+{
+	unsigned long addr = KASAN_SHADOW_START & PGDIR_MASK;
+	unsigned long end = KASAN_SHADOW_END;
+	unsigned long next;
+	pmd_t *pmd = pmd_offset(pud_offset(pgd_offset_k(addr), addr), addr);
+	int i;
+	phys_addr_t pa = __pa(kasan_early_shadow_page);
+
+	for (i = 0; i < PTRS_PER_PTE; i++)
+		__set_pte_at(&init_mm, (unsigned long)kasan_early_shadow_page,
+			     kasan_early_shadow_pte + i,
+			     pfn_pte(PHYS_PFN(pa), PAGE_KERNEL_RO), 0);
+
+	do {
+		next = pgd_addr_end(addr, end);
+		pmd_populate_kernel(&init_mm, pmd, kasan_early_shadow_pte);
+	} while (pmd++, addr = next, addr != end);
+}
+
+static void __init kasan_init_region(struct memblock_region *reg)
+{
+	void *start = __va(reg->base);
+	void *end = __va(reg->base + reg->size);
+	unsigned long k_start, k_end, k_cur, k_next;
+	pmd_t *pmd;
+
+	if (start >= end)
+		return;
+
+	k_start = (unsigned long)kasan_mem_to_shadow(start);
+	k_end = (unsigned long)kasan_mem_to_shadow(end);
+	pmd = pmd_offset(pud_offset(pgd_offset_k(k_start), k_start), k_start);
+
+	for (k_cur = k_start; k_cur != k_end; k_cur = k_next, pmd++) {
+		k_next = pgd_addr_end(k_cur, k_end);
+		if ((void *)pmd_page_vaddr(*pmd) == kasan_early_shadow_pte) {
+			pte_t *new = pte_alloc_one_kernel(&init_mm);
+
+			if (!new)
+				panic("kasan: pte_alloc_one_kernel() failed");
+			memcpy(new, kasan_early_shadow_pte, PTE_TABLE_SIZE);
+			pmd_populate_kernel(&init_mm, pmd, new);
+		}
+	};
+
+	for (k_cur = k_start; k_cur < k_end; k_cur += PAGE_SIZE) {
+		phys_addr_t pa = memblock_phys_alloc(PAGE_SIZE, PAGE_SIZE);
+		pte_t pte = pfn_pte(PHYS_PFN(pa), PAGE_KERNEL);
+
+		pmd = pmd_offset(pud_offset(pgd_offset_k(k_cur), k_cur), k_cur);
+		pte_update(pte_offset_kernel(pmd, k_cur), ~0, pte_val(pte));
+	}
+	flush_tlb_kernel_range(k_start, k_end);
+}
+
+void __init kasan_init(void)
+{
+	struct memblock_region *reg;
+
+	for_each_memblock(memory, reg)
+		kasan_init_region(reg);
+
+	pr_info("KASAN init done\n");
+}
diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
index 33cc6f676fa6..ae7db88b72d6 100644
--- a/arch/powerpc/mm/mem.c
+++ b/arch/powerpc/mm/mem.c
@@ -369,6 +369,10 @@ void __init mem_init(void)
 	pr_info("  * 0x%08lx..0x%08lx  : highmem PTEs\n",
 		PKMAP_BASE, PKMAP_ADDR(LAST_PKMAP));
 #endif /* CONFIG_HIGHMEM */
+#ifdef CONFIG_KASAN
+	pr_info("  * 0x%08lx..0x%08lx  : kasan shadow mem\n",
+		KASAN_SHADOW_START, KASAN_SHADOW_END);
+#endif
 #ifdef CONFIG_NOT_COHERENT_CACHE
 	pr_info("  * 0x%08lx..0x%08lx  : consistent mem\n",
 		IOREMAP_TOP, IOREMAP_TOP + CONFIG_CONSISTENT_SIZE);
-- 
2.13.3


^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32
  2019-01-12 11:16 ` [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32 Christophe Leroy
@ 2019-01-14  9:34   ` Dmitry Vyukov
  2019-01-15  7:27     ` Christophe Leroy
  0 siblings, 1 reply; 19+ messages in thread
From: Dmitry Vyukov @ 2019-01-14  9:34 UTC (permalink / raw)
  To: Christophe Leroy
  Cc: LKML, Nicholas Piggin, Linux-MM, Paul Mackerras,
	Aneesh Kumar K.V, Andrey Ryabinin, Alexander Potapenko,
	kasan-dev, linuxppc-dev

On Sat, Jan 12, 2019 at 12:16 PM Christophe Leroy
<christophe.leroy@c-s.fr> wrote:
&gt;
&gt; In kernel/cputable.c, explicitly use memcpy() in order
&gt; to allow GCC to replace it with __memcpy() when KASAN is
&gt; selected.
&gt;
&gt; Since commit 400c47d81ca38 ("powerpc32: memset: only use dcbz once cache is
&gt; enabled"), memset() can be used before activation of the cache,
&gt; so no need to use memset_io() for zeroing the BSS.
&gt;
&gt; Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
&gt; ---
&gt;  arch/powerpc/kernel/cputable.c | 4 ++--
&gt;  arch/powerpc/kernel/setup_32.c | 6 ++----
&gt;  2 files changed, 4 insertions(+), 6 deletions(-)
&gt;
&gt; diff --git a/arch/powerpc/kernel/cputable.c
b/arch/powerpc/kernel/cputable.c
&gt; index 1eab54bc6ee9..84814c8d1bcb 100644
&gt; --- a/arch/powerpc/kernel/cputable.c
&gt; +++ b/arch/powerpc/kernel/cputable.c
&gt; @@ -2147,7 +2147,7 @@ void __init set_cur_cpu_spec(struct cpu_spec *s)
&gt;         struct cpu_spec *t = &amp;the_cpu_spec;
&gt;
&gt;         t = PTRRELOC(t);
&gt; -       *t = *s;
&gt; +       memcpy(t, s, sizeof(*t));

Hi Christophe,

I understand why you are doing this, but this looks a bit fragile and
non-scalable. This may not work with the next version of compiler,
just different than yours version of compiler, clang, etc.

Does using -ffreestanding and/or -fno-builtin-memcpy (-memset) help?
If it helps, perhaps it makes sense to add these flags to
KASAN_SANITIZE := n files.


>         *PTRRELOC(&cur_cpu_spec) = &the_cpu_spec;
>  }
> @@ -2162,7 +2162,7 @@ static struct cpu_spec * __init setup_cpu_spec(unsigned long offset,
>         old = *t;
>
>         /* Copy everything, then do fixups */
> -       *t = *s;
> +       memcpy(t, s, sizeof(*t));
>
>         /*
>          * If we are overriding a previous value derived from the real
> diff --git a/arch/powerpc/kernel/setup_32.c b/arch/powerpc/kernel/setup_32.c
> index 947f904688b0..5e761eb16a6d 100644
> --- a/arch/powerpc/kernel/setup_32.c
> +++ b/arch/powerpc/kernel/setup_32.c
> @@ -73,10 +73,8 @@ notrace unsigned long __init early_init(unsigned long dt_ptr)
>  {
>         unsigned long offset = reloc_offset();
>
> -       /* First zero the BSS -- use memset_io, some platforms don't have
> -        * caches on yet */
> -       memset_io((void __iomem *)PTRRELOC(&__bss_start), 0,
> -                       __bss_stop - __bss_start);
> +       /* First zero the BSS */
> +       memset(PTRRELOC(&__bss_start), 0, __bss_stop - __bss_start);
>
>         /*
>          * Identify the CPU type and fix up code sections
> --
> 2.13.3
>

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32
  2019-01-14  9:34   ` Dmitry Vyukov
@ 2019-01-15  7:27     ` Christophe Leroy
  2019-01-15 11:14       ` Dmitry Vyukov
  0 siblings, 1 reply; 19+ messages in thread
From: Christophe Leroy @ 2019-01-15  7:27 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: LKML, Nicholas Piggin, Linux-MM, Paul Mackerras,
	Aneesh Kumar K.V, Andrey Ryabinin, Alexander Potapenko,
	kasan-dev, linuxppc-dev



On 01/14/2019 09:34 AM, Dmitry Vyukov wrote:
> On Sat, Jan 12, 2019 at 12:16 PM Christophe Leroy
> <christophe.leroy@c-s.fr> wrote:
> &gt;
> &gt; In kernel/cputable.c, explicitly use memcpy() in order
> &gt; to allow GCC to replace it with __memcpy() when KASAN is
> &gt; selected.
> &gt;
> &gt; Since commit 400c47d81ca38 ("powerpc32: memset: only use dcbz once cache is
> &gt; enabled"), memset() can be used before activation of the cache,
> &gt; so no need to use memset_io() for zeroing the BSS.
> &gt;
> &gt; Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
> &gt; ---
> &gt;  arch/powerpc/kernel/cputable.c | 4 ++--
> &gt;  arch/powerpc/kernel/setup_32.c | 6 ++----
> &gt;  2 files changed, 4 insertions(+), 6 deletions(-)
> &gt;
> &gt; diff --git a/arch/powerpc/kernel/cputable.c
> b/arch/powerpc/kernel/cputable.c
> &gt; index 1eab54bc6ee9..84814c8d1bcb 100644
> &gt; --- a/arch/powerpc/kernel/cputable.c
> &gt; +++ b/arch/powerpc/kernel/cputable.c
> &gt; @@ -2147,7 +2147,7 @@ void __init set_cur_cpu_spec(struct cpu_spec *s)
> &gt;         struct cpu_spec *t = &amp;the_cpu_spec;
> &gt;
> &gt;         t = PTRRELOC(t);
> &gt; -       *t = *s;
> &gt; +       memcpy(t, s, sizeof(*t));
> 
> Hi Christophe,
> 
> I understand why you are doing this, but this looks a bit fragile and
> non-scalable. This may not work with the next version of compiler,
> just different than yours version of compiler, clang, etc.

My felling would be that this change makes it more solid.

My understanding is that when you do *t = *s, the compiler can use 
whatever way it wants to do the copy.
When you do memcpy(), you ensure it will do it that way and not another 
way, don't you ?

My problem is that when using *t = *s, the function set_cur_cpu_spec() 
always calls memcpy(), not taking into account the following define 
which is in arch/powerpc/include/asm/string.h (other arches do the same):

#if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
/*
  * For files that are not instrumented (e.g. mm/slub.c) we
  * should use not instrumented version of mem* functions.
  */
#define memcpy(dst, src, len) __memcpy(dst, src, len)
#define memmove(dst, src, len) __memmove(dst, src, len)
#define memset(s, c, n) __memset(s, c, n)
#endif

void __init set_cur_cpu_spec(struct cpu_spec *s)
{
	struct cpu_spec *t = &the_cpu_spec;

	t = PTRRELOC(t);
	*t = *s;

	*PTRRELOC(&cur_cpu_spec) = &the_cpu_spec;
}

00000000 <set_cur_cpu_spec>:
    0:   94 21 ff f0     stwu    r1,-16(r1)
    4:   7c 08 02 a6     mflr    r0
    8:   bf c1 00 08     stmw    r30,8(r1)
    c:   3f e0 00 00     lis     r31,0
                         e: R_PPC_ADDR16_HA      .data..read_mostly
   10:   3b ff 00 00     addi    r31,r31,0
                         12: R_PPC_ADDR16_LO     .data..read_mostly
   14:   7c 7e 1b 78     mr      r30,r3
   18:   7f e3 fb 78     mr      r3,r31
   1c:   90 01 00 14     stw     r0,20(r1)
   20:   48 00 00 01     bl      20 <set_cur_cpu_spec+0x20>
                         20: R_PPC_REL24 add_reloc_offset
   24:   7f c4 f3 78     mr      r4,r30
   28:   38 a0 00 58     li      r5,88
   2c:   48 00 00 01     bl      2c <set_cur_cpu_spec+0x2c>
                         2c: R_PPC_REL24 memcpy
   30:   38 7f 00 58     addi    r3,r31,88
   34:   48 00 00 01     bl      34 <set_cur_cpu_spec+0x34>
                         34: R_PPC_REL24 add_reloc_offset
   38:   93 e3 00 00     stw     r31,0(r3)
   3c:   80 01 00 14     lwz     r0,20(r1)
   40:   bb c1 00 08     lmw     r30,8(r1)
   44:   7c 08 03 a6     mtlr    r0
   48:   38 21 00 10     addi    r1,r1,16
   4c:   4e 80 00 20     blr


When replacing *t = *s by memcpy(t, s, sizeof(*t)), GCC replace it by 
__memcpy() as expected.

> 
> Does using -ffreestanding and/or -fno-builtin-memcpy (-memset) help?

No it doesn't and to be honest I can't see how it would. My 
understanding is that it could be even worse because it would mean 
adding calls to memcpy() also in all trivial places where GCC does the 
copy itself by default.

Do you see any alternative ?

Christophe

> If it helps, perhaps it makes sense to add these flags to
> KASAN_SANITIZE := n files.
> 
> 
>>          *PTRRELOC(&cur_cpu_spec) = &the_cpu_spec;
>>   }
>> @@ -2162,7 +2162,7 @@ static struct cpu_spec * __init setup_cpu_spec(unsigned long offset,
>>          old = *t;
>>
>>          /* Copy everything, then do fixups */
>> -       *t = *s;
>> +       memcpy(t, s, sizeof(*t));
>>
>>          /*
>>           * If we are overriding a previous value derived from the real
>> diff --git a/arch/powerpc/kernel/setup_32.c b/arch/powerpc/kernel/setup_32.c
>> index 947f904688b0..5e761eb16a6d 100644
>> --- a/arch/powerpc/kernel/setup_32.c
>> +++ b/arch/powerpc/kernel/setup_32.c
>> @@ -73,10 +73,8 @@ notrace unsigned long __init early_init(unsigned long dt_ptr)
>>   {
>>          unsigned long offset = reloc_offset();
>>
>> -       /* First zero the BSS -- use memset_io, some platforms don't have
>> -        * caches on yet */
>> -       memset_io((void __iomem *)PTRRELOC(&__bss_start), 0,
>> -                       __bss_stop - __bss_start);
>> +       /* First zero the BSS */
>> +       memset(PTRRELOC(&__bss_start), 0, __bss_stop - __bss_start);
>>
>>          /*
>>           * Identify the CPU type and fix up code sections
>> --
>> 2.13.3
>>

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32
  2019-01-15  7:27     ` Christophe Leroy
@ 2019-01-15 11:14       ` Dmitry Vyukov
  2019-01-15 17:07         ` Andrey Ryabinin
  0 siblings, 1 reply; 19+ messages in thread
From: Dmitry Vyukov @ 2019-01-15 11:14 UTC (permalink / raw)
  To: Christophe Leroy
  Cc: LKML, Nicholas Piggin, Linux-MM, Paul Mackerras,
	Aneesh Kumar K.V, Andrey Ryabinin, Alexander Potapenko,
	kasan-dev, linuxppc-dev

On Tue, Jan 15, 2019 at 8:27 AM Christophe Leroy
<christophe.leroy@c-s.fr> wrote:
>
>
>
> On 01/14/2019 09:34 AM, Dmitry Vyukov wrote:
> > On Sat, Jan 12, 2019 at 12:16 PM Christophe Leroy
> > <christophe.leroy@c-s.fr> wrote:
> > &gt;
> > &gt; In kernel/cputable.c, explicitly use memcpy() in order
> > &gt; to allow GCC to replace it with __memcpy() when KASAN is
> > &gt; selected.
> > &gt;
> > &gt; Since commit 400c47d81ca38 ("powerpc32: memset: only use dcbz once cache is
> > &gt; enabled"), memset() can be used before activation of the cache,
> > &gt; so no need to use memset_io() for zeroing the BSS.
> > &gt;
> > &gt; Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
> > &gt; ---
> > &gt;  arch/powerpc/kernel/cputable.c | 4 ++--
> > &gt;  arch/powerpc/kernel/setup_32.c | 6 ++----
> > &gt;  2 files changed, 4 insertions(+), 6 deletions(-)
> > &gt;
> > &gt; diff --git a/arch/powerpc/kernel/cputable.c
> > b/arch/powerpc/kernel/cputable.c
> > &gt; index 1eab54bc6ee9..84814c8d1bcb 100644
> > &gt; --- a/arch/powerpc/kernel/cputable.c
> > &gt; +++ b/arch/powerpc/kernel/cputable.c
> > &gt; @@ -2147,7 +2147,7 @@ void __init set_cur_cpu_spec(struct cpu_spec *s)
> > &gt;         struct cpu_spec *t = &amp;the_cpu_spec;
> > &gt;
> > &gt;         t = PTRRELOC(t);
> > &gt; -       *t = *s;
> > &gt; +       memcpy(t, s, sizeof(*t));
> >
> > Hi Christophe,
> >
> > I understand why you are doing this, but this looks a bit fragile and
> > non-scalable. This may not work with the next version of compiler,
> > just different than yours version of compiler, clang, etc.
>
> My felling would be that this change makes it more solid.
>
> My understanding is that when you do *t = *s, the compiler can use
> whatever way it wants to do the copy.
> When you do memcpy(), you ensure it will do it that way and not another
> way, don't you ?

It makes this single line more deterministic wrt code-gen (though,
strictly saying compiler can turn memcpy back into inlines
instructions, it knows memcpy semantics anyway).
But the problem I meant is that the set of places that are subject to
this problem is not deterministic. So if we go with this solution,
after this change it's in the status "works on your machine" and we
either need to commit to not using struct copies and zeroing
throughout kernel code or potentially have a long tail of other
similar cases, and since they can be triggered by another compiler
version, we may need to backport these changes to previous releases
too. Whereas if we would go with compiler flags, it would prevent the
problem in all current and future places and with other past/future
versions of compilers.


> My problem is that when using *t = *s, the function set_cur_cpu_spec()
> always calls memcpy(), not taking into account the following define
> which is in arch/powerpc/include/asm/string.h (other arches do the same):
>
> #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
> /*
>   * For files that are not instrumented (e.g. mm/slub.c) we
>   * should use not instrumented version of mem* functions.
>   */
> #define memcpy(dst, src, len) __memcpy(dst, src, len)
> #define memmove(dst, src, len) __memmove(dst, src, len)
> #define memset(s, c, n) __memset(s, c, n)
> #endif
>
> void __init set_cur_cpu_spec(struct cpu_spec *s)
> {
>         struct cpu_spec *t = &the_cpu_spec;
>
>         t = PTRRELOC(t);
>         *t = *s;
>
>         *PTRRELOC(&cur_cpu_spec) = &the_cpu_spec;
> }
>
> 00000000 <set_cur_cpu_spec>:
>     0:   94 21 ff f0     stwu    r1,-16(r1)
>     4:   7c 08 02 a6     mflr    r0
>     8:   bf c1 00 08     stmw    r30,8(r1)
>     c:   3f e0 00 00     lis     r31,0
>                          e: R_PPC_ADDR16_HA      .data..read_mostly
>    10:   3b ff 00 00     addi    r31,r31,0
>                          12: R_PPC_ADDR16_LO     .data..read_mostly
>    14:   7c 7e 1b 78     mr      r30,r3
>    18:   7f e3 fb 78     mr      r3,r31
>    1c:   90 01 00 14     stw     r0,20(r1)
>    20:   48 00 00 01     bl      20 <set_cur_cpu_spec+0x20>
>                          20: R_PPC_REL24 add_reloc_offset
>    24:   7f c4 f3 78     mr      r4,r30
>    28:   38 a0 00 58     li      r5,88
>    2c:   48 00 00 01     bl      2c <set_cur_cpu_spec+0x2c>
>                          2c: R_PPC_REL24 memcpy
>    30:   38 7f 00 58     addi    r3,r31,88
>    34:   48 00 00 01     bl      34 <set_cur_cpu_spec+0x34>
>                          34: R_PPC_REL24 add_reloc_offset
>    38:   93 e3 00 00     stw     r31,0(r3)
>    3c:   80 01 00 14     lwz     r0,20(r1)
>    40:   bb c1 00 08     lmw     r30,8(r1)
>    44:   7c 08 03 a6     mtlr    r0
>    48:   38 21 00 10     addi    r1,r1,16
>    4c:   4e 80 00 20     blr
>
>
> When replacing *t = *s by memcpy(t, s, sizeof(*t)), GCC replace it by
> __memcpy() as expected.
>
> >
> > Does using -ffreestanding and/or -fno-builtin-memcpy (-memset) help?
>
> No it doesn't and to be honest I can't see how it would. My
> understanding is that it could be even worse because it would mean
> adding calls to memcpy() also in all trivial places where GCC does the
> copy itself by default.

The idea was that with -ffreestanding compiler must not assume
presence of any runtime support library, so it must not emit any calls
that are not explicitly present in the source code. However, after
reading more docs, it seems that even with -ffreestanding gcc and
clang still assume presence of a runtime library that provides at
least memcpy,  memmove, memset and memcmp. There does not seem to be a
way to prevent clang and gcc from doing it. So I guess this approach
is our only option:

Acked-by: Dmitry Vyukov <dvyukov@google.com>

Though, a comment may be useful so that a next person does not try to
revert it back.


> Do you see any alternative ?
>
> Christophe
>
> > If it helps, perhaps it makes sense to add these flags to
> > KASAN_SANITIZE := n files.
> >
> >
> >>          *PTRRELOC(&cur_cpu_spec) = &the_cpu_spec;
> >>   }
> >> @@ -2162,7 +2162,7 @@ static struct cpu_spec * __init setup_cpu_spec(unsigned long offset,
> >>          old = *t;
> >>
> >>          /* Copy everything, then do fixups */
> >> -       *t = *s;
> >> +       memcpy(t, s, sizeof(*t));
> >>
> >>          /*
> >>           * If we are overriding a previous value derived from the real
> >> diff --git a/arch/powerpc/kernel/setup_32.c b/arch/powerpc/kernel/setup_32.c
> >> index 947f904688b0..5e761eb16a6d 100644
> >> --- a/arch/powerpc/kernel/setup_32.c
> >> +++ b/arch/powerpc/kernel/setup_32.c
> >> @@ -73,10 +73,8 @@ notrace unsigned long __init early_init(unsigned long dt_ptr)
> >>   {
> >>          unsigned long offset = reloc_offset();
> >>
> >> -       /* First zero the BSS -- use memset_io, some platforms don't have
> >> -        * caches on yet */
> >> -       memset_io((void __iomem *)PTRRELOC(&__bss_start), 0,
> >> -                       __bss_stop - __bss_start);
> >> +       /* First zero the BSS */
> >> +       memset(PTRRELOC(&__bss_start), 0, __bss_stop - __bss_start);
> >>
> >>          /*
> >>           * Identify the CPU type and fix up code sections
> >> --
> >> 2.13.3
> >>

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32
  2019-01-15 11:14       ` Dmitry Vyukov
@ 2019-01-15 17:07         ` Andrey Ryabinin
  2019-01-15 17:10           ` Dmitry Vyukov
  0 siblings, 1 reply; 19+ messages in thread
From: Andrey Ryabinin @ 2019-01-15 17:07 UTC (permalink / raw)
  To: Dmitry Vyukov, Christophe Leroy
  Cc: LKML, Nicholas Piggin, Linux-MM, Alexander Potapenko,
	Aneesh Kumar K.V, Paul Mackerras, kasan-dev, linuxppc-dev



On 1/15/19 2:14 PM, Dmitry Vyukov wrote:
> On Tue, Jan 15, 2019 at 8:27 AM Christophe Leroy
> <christophe.leroy@c-s.fr> wrote:
>> On 01/14/2019 09:34 AM, Dmitry Vyukov wrote:
>>> On Sat, Jan 12, 2019 at 12:16 PM Christophe Leroy
>>> <christophe.leroy@c-s.fr> wrote:
>>> &gt;
>>> &gt; In kernel/cputable.c, explicitly use memcpy() in order
>>> &gt; to allow GCC to replace it with __memcpy() when KASAN is
>>> &gt; selected.
>>> &gt;
>>> &gt; Since commit 400c47d81ca38 ("powerpc32: memset: only use dcbz once cache is
>>> &gt; enabled"), memset() can be used before activation of the cache,
>>> &gt; so no need to use memset_io() for zeroing the BSS.
>>> &gt;
>>> &gt; Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
>>> &gt; ---
>>> &gt;  arch/powerpc/kernel/cputable.c | 4 ++--
>>> &gt;  arch/powerpc/kernel/setup_32.c | 6 ++----
>>> &gt;  2 files changed, 4 insertions(+), 6 deletions(-)
>>> &gt;
>>> &gt; diff --git a/arch/powerpc/kernel/cputable.c
>>> b/arch/powerpc/kernel/cputable.c
>>> &gt; index 1eab54bc6ee9..84814c8d1bcb 100644
>>> &gt; --- a/arch/powerpc/kernel/cputable.c
>>> &gt; +++ b/arch/powerpc/kernel/cputable.c
>>> &gt; @@ -2147,7 +2147,7 @@ void __init set_cur_cpu_spec(struct cpu_spec *s)
>>> &gt;         struct cpu_spec *t = &amp;the_cpu_spec;
>>> &gt;
>>> &gt;         t = PTRRELOC(t);
>>> &gt; -       *t = *s;
>>> &gt; +       memcpy(t, s, sizeof(*t));
>>>
>>> Hi Christophe,
>>>
>>> I understand why you are doing this, but this looks a bit fragile and
>>> non-scalable. This may not work with the next version of compiler,
>>> just different than yours version of compiler, clang, etc.
>>
>> My felling would be that this change makes it more solid.
>>
>> My understanding is that when you do *t = *s, the compiler can use
>> whatever way it wants to do the copy.
>> When you do memcpy(), you ensure it will do it that way and not another
>> way, don't you ?
> 
> It makes this single line more deterministic wrt code-gen (though,
> strictly saying compiler can turn memcpy back into inlines
> instructions, it knows memcpy semantics anyway).
> But the problem I meant is that the set of places that are subject to
> this problem is not deterministic. So if we go with this solution,
> after this change it's in the status "works on your machine" and we
> either need to commit to not using struct copies and zeroing
> throughout kernel code or potentially have a long tail of other
> similar cases, and since they can be triggered by another compiler
> version, we may need to backport these changes to previous releases
> too. Whereas if we would go with compiler flags, it would prevent the
> problem in all current and future places and with other past/future
> versions of compilers.
> 

The patch will work for any compiler. The point of this patch is to make
memcpy() visible to the preprocessor which will replace it with __memcpy().

After preprocessor's work, compiler will see just __memcpy() call here.


^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32
  2019-01-15 17:07         ` Andrey Ryabinin
@ 2019-01-15 17:10           ` Dmitry Vyukov
  2019-01-15 17:25             ` Christophe Leroy
  0 siblings, 1 reply; 19+ messages in thread
From: Dmitry Vyukov @ 2019-01-15 17:10 UTC (permalink / raw)
  To: Andrey Ryabinin
  Cc: LKML, Nicholas Piggin, Linux-MM, Paul Mackerras,
	Aneesh Kumar K.V, Alexander Potapenko, kasan-dev, linuxppc-dev

On Tue, Jan 15, 2019 at 6:06 PM Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
>
>
>
> On 1/15/19 2:14 PM, Dmitry Vyukov wrote:
> > On Tue, Jan 15, 2019 at 8:27 AM Christophe Leroy
> > <christophe.leroy@c-s.fr> wrote:
> >> On 01/14/2019 09:34 AM, Dmitry Vyukov wrote:
> >>> On Sat, Jan 12, 2019 at 12:16 PM Christophe Leroy
> >>> <christophe.leroy@c-s.fr> wrote:
> >>> &gt;
> >>> &gt; In kernel/cputable.c, explicitly use memcpy() in order
> >>> &gt; to allow GCC to replace it with __memcpy() when KASAN is
> >>> &gt; selected.
> >>> &gt;
> >>> &gt; Since commit 400c47d81ca38 ("powerpc32: memset: only use dcbz once cache is
> >>> &gt; enabled"), memset() can be used before activation of the cache,
> >>> &gt; so no need to use memset_io() for zeroing the BSS.
> >>> &gt;
> >>> &gt; Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
> >>> &gt; ---
> >>> &gt;  arch/powerpc/kernel/cputable.c | 4 ++--
> >>> &gt;  arch/powerpc/kernel/setup_32.c | 6 ++----
> >>> &gt;  2 files changed, 4 insertions(+), 6 deletions(-)
> >>> &gt;
> >>> &gt; diff --git a/arch/powerpc/kernel/cputable.c
> >>> b/arch/powerpc/kernel/cputable.c
> >>> &gt; index 1eab54bc6ee9..84814c8d1bcb 100644
> >>> &gt; --- a/arch/powerpc/kernel/cputable.c
> >>> &gt; +++ b/arch/powerpc/kernel/cputable.c
> >>> &gt; @@ -2147,7 +2147,7 @@ void __init set_cur_cpu_spec(struct cpu_spec *s)
> >>> &gt;         struct cpu_spec *t = &amp;the_cpu_spec;
> >>> &gt;
> >>> &gt;         t = PTRRELOC(t);
> >>> &gt; -       *t = *s;
> >>> &gt; +       memcpy(t, s, sizeof(*t));
> >>>
> >>> Hi Christophe,
> >>>
> >>> I understand why you are doing this, but this looks a bit fragile and
> >>> non-scalable. This may not work with the next version of compiler,
> >>> just different than yours version of compiler, clang, etc.
> >>
> >> My felling would be that this change makes it more solid.
> >>
> >> My understanding is that when you do *t = *s, the compiler can use
> >> whatever way it wants to do the copy.
> >> When you do memcpy(), you ensure it will do it that way and not another
> >> way, don't you ?
> >
> > It makes this single line more deterministic wrt code-gen (though,
> > strictly saying compiler can turn memcpy back into inlines
> > instructions, it knows memcpy semantics anyway).
> > But the problem I meant is that the set of places that are subject to
> > this problem is not deterministic. So if we go with this solution,
> > after this change it's in the status "works on your machine" and we
> > either need to commit to not using struct copies and zeroing
> > throughout kernel code or potentially have a long tail of other
> > similar cases, and since they can be triggered by another compiler
> > version, we may need to backport these changes to previous releases
> > too. Whereas if we would go with compiler flags, it would prevent the
> > problem in all current and future places and with other past/future
> > versions of compilers.
> >
>
> The patch will work for any compiler. The point of this patch is to make
> memcpy() visible to the preprocessor which will replace it with __memcpy().

For this single line, yes. But it does not mean that KASAN will work.

> After preprocessor's work, compiler will see just __memcpy() call here.

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-12 11:16 ` [PATCH v3 3/3] powerpc/32: Add KASAN support Christophe Leroy
@ 2019-01-15 17:23   ` Andrey Ryabinin
  2019-01-21  7:17     ` Christophe Leroy
  2019-01-21 10:36     ` Christophe Leroy
  0 siblings, 2 replies; 19+ messages in thread
From: Andrey Ryabinin @ 2019-01-15 17:23 UTC (permalink / raw)
  To: Christophe Leroy, Benjamin Herrenschmidt, Paul Mackerras,
	Michael Ellerman, Nicholas Piggin, Aneesh Kumar K.V,
	Alexander Potapenko, Dmitry Vyukov
  Cc: linux-mm, linuxppc-dev, linux-kernel, kasan-dev



On 1/12/19 2:16 PM, Christophe Leroy wrote:

> +KASAN_SANITIZE_early_32.o := n
> +KASAN_SANITIZE_cputable.o := n
> +KASAN_SANITIZE_prom_init.o := n
> +

Usually it's also good idea to disable branch profiling - define DISABLE_BRANCH_PROFILING
either in top of these files or via Makefile. Branch profiling redefines if() statement and calls
instrumented ftrace_likely_update in every if().



> diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
> new file mode 100644
> index 000000000000..3edc9c2d2f3e

> +void __init kasan_init(void)
> +{
> +	struct memblock_region *reg;
> +
> +	for_each_memblock(memory, reg)
> +		kasan_init_region(reg);
> +
> +	pr_info("KASAN init done\n");

Without "init_task.kasan_depth = 0;" kasan will not repot bugs.

There is test_kasan module. Make sure that it produce reports.

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32
  2019-01-15 17:10           ` Dmitry Vyukov
@ 2019-01-15 17:25             ` Christophe Leroy
  2019-01-16 10:03               ` Dmitry Vyukov
  0 siblings, 1 reply; 19+ messages in thread
From: Christophe Leroy @ 2019-01-15 17:25 UTC (permalink / raw)
  To: Dmitry Vyukov, Andrey Ryabinin
  Cc: LKML, Nicholas Piggin, Linux-MM, Alexander Potapenko,
	Aneesh Kumar K.V, Paul Mackerras, kasan-dev, linuxppc-dev



Le 15/01/2019 à 18:10, Dmitry Vyukov a écrit :
> On Tue, Jan 15, 2019 at 6:06 PM Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
>>
>>
>>
>> On 1/15/19 2:14 PM, Dmitry Vyukov wrote:
>>> On Tue, Jan 15, 2019 at 8:27 AM Christophe Leroy
>>> <christophe.leroy@c-s.fr> wrote:
>>>> On 01/14/2019 09:34 AM, Dmitry Vyukov wrote:
>>>>> On Sat, Jan 12, 2019 at 12:16 PM Christophe Leroy
>>>>> <christophe.leroy@c-s.fr> wrote:
>>>>> &gt;
>>>>> &gt; In kernel/cputable.c, explicitly use memcpy() in order
>>>>> &gt; to allow GCC to replace it with __memcpy() when KASAN is
>>>>> &gt; selected.
>>>>> &gt;
>>>>> &gt; Since commit 400c47d81ca38 ("powerpc32: memset: only use dcbz once cache is
>>>>> &gt; enabled"), memset() can be used before activation of the cache,
>>>>> &gt; so no need to use memset_io() for zeroing the BSS.
>>>>> &gt;
>>>>> &gt; Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
>>>>> &gt; ---
>>>>> &gt;  arch/powerpc/kernel/cputable.c | 4 ++--
>>>>> &gt;  arch/powerpc/kernel/setup_32.c | 6 ++----
>>>>> &gt;  2 files changed, 4 insertions(+), 6 deletions(-)
>>>>> &gt;
>>>>> &gt; diff --git a/arch/powerpc/kernel/cputable.c
>>>>> b/arch/powerpc/kernel/cputable.c
>>>>> &gt; index 1eab54bc6ee9..84814c8d1bcb 100644
>>>>> &gt; --- a/arch/powerpc/kernel/cputable.c
>>>>> &gt; +++ b/arch/powerpc/kernel/cputable.c
>>>>> &gt; @@ -2147,7 +2147,7 @@ void __init set_cur_cpu_spec(struct cpu_spec *s)
>>>>> &gt;         struct cpu_spec *t = &amp;the_cpu_spec;
>>>>> &gt;
>>>>> &gt;         t = PTRRELOC(t);
>>>>> &gt; -       *t = *s;
>>>>> &gt; +       memcpy(t, s, sizeof(*t));
>>>>>
>>>>> Hi Christophe,
>>>>>
>>>>> I understand why you are doing this, but this looks a bit fragile and
>>>>> non-scalable. This may not work with the next version of compiler,
>>>>> just different than yours version of compiler, clang, etc.
>>>>
>>>> My felling would be that this change makes it more solid.
>>>>
>>>> My understanding is that when you do *t = *s, the compiler can use
>>>> whatever way it wants to do the copy.
>>>> When you do memcpy(), you ensure it will do it that way and not another
>>>> way, don't you ?
>>>
>>> It makes this single line more deterministic wrt code-gen (though,
>>> strictly saying compiler can turn memcpy back into inlines
>>> instructions, it knows memcpy semantics anyway).
>>> But the problem I meant is that the set of places that are subject to
>>> this problem is not deterministic. So if we go with this solution,
>>> after this change it's in the status "works on your machine" and we
>>> either need to commit to not using struct copies and zeroing
>>> throughout kernel code or potentially have a long tail of other
>>> similar cases, and since they can be triggered by another compiler
>>> version, we may need to backport these changes to previous releases
>>> too. Whereas if we would go with compiler flags, it would prevent the
>>> problem in all current and future places and with other past/future
>>> versions of compilers.
>>>
>>
>> The patch will work for any compiler. The point of this patch is to make
>> memcpy() visible to the preprocessor which will replace it with __memcpy().
> 
> For this single line, yes. But it does not mean that KASAN will work.
> 
>> After preprocessor's work, compiler will see just __memcpy() call here.

This problem can affect any arch I believe. Maybe the 'solution' would 
be to run a generic script similar to 
arch/powerpc/kernel/prom_init_check.sh on all objects compiled with 
KASAN_SANITIZE_object.o := n don't include any reference to memcpy() 
memset() or memmove() ?

Christophe

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32
  2019-01-15 17:25             ` Christophe Leroy
@ 2019-01-16 10:03               ` Dmitry Vyukov
  0 siblings, 0 replies; 19+ messages in thread
From: Dmitry Vyukov @ 2019-01-16 10:03 UTC (permalink / raw)
  To: Christophe Leroy
  Cc: Aneesh Kumar K.V, LKML, Nicholas Piggin, Linux-MM,
	Paul Mackerras, kasan-dev, Andrey Ryabinin, Alexander Potapenko,
	linuxppc-dev

On Tue, Jan 15, 2019 at 6:25 PM Christophe Leroy
<christophe.leroy@c-s.fr> wrote:
>
> Le 15/01/2019 à 18:10, Dmitry Vyukov a écrit :
> > On Tue, Jan 15, 2019 at 6:06 PM Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
> >>
> >> On 1/15/19 2:14 PM, Dmitry Vyukov wrote:
> >>> On Tue, Jan 15, 2019 at 8:27 AM Christophe Leroy
> >>> <christophe.leroy@c-s.fr> wrote:
> >>>> On 01/14/2019 09:34 AM, Dmitry Vyukov wrote:
> >>>>> On Sat, Jan 12, 2019 at 12:16 PM Christophe Leroy
> >>>>> <christophe.leroy@c-s.fr> wrote:
> >>>>> &gt;
> >>>>> &gt; In kernel/cputable.c, explicitly use memcpy() in order
> >>>>> &gt; to allow GCC to replace it with __memcpy() when KASAN is
> >>>>> &gt; selected.
> >>>>> &gt;
> >>>>> &gt; Since commit 400c47d81ca38 ("powerpc32: memset: only use dcbz once cache is
> >>>>> &gt; enabled"), memset() can be used before activation of the cache,
> >>>>> &gt; so no need to use memset_io() for zeroing the BSS.
> >>>>> &gt;
> >>>>> &gt; Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
> >>>>> &gt; ---
> >>>>> &gt;  arch/powerpc/kernel/cputable.c | 4 ++--
> >>>>> &gt;  arch/powerpc/kernel/setup_32.c | 6 ++----
> >>>>> &gt;  2 files changed, 4 insertions(+), 6 deletions(-)
> >>>>> &gt;
> >>>>> &gt; diff --git a/arch/powerpc/kernel/cputable.c
> >>>>> b/arch/powerpc/kernel/cputable.c
> >>>>> &gt; index 1eab54bc6ee9..84814c8d1bcb 100644
> >>>>> &gt; --- a/arch/powerpc/kernel/cputable.c
> >>>>> &gt; +++ b/arch/powerpc/kernel/cputable.c
> >>>>> &gt; @@ -2147,7 +2147,7 @@ void __init set_cur_cpu_spec(struct cpu_spec *s)
> >>>>> &gt;         struct cpu_spec *t = &amp;the_cpu_spec;
> >>>>> &gt;
> >>>>> &gt;         t = PTRRELOC(t);
> >>>>> &gt; -       *t = *s;
> >>>>> &gt; +       memcpy(t, s, sizeof(*t));
> >>>>>
> >>>>> Hi Christophe,
> >>>>>
> >>>>> I understand why you are doing this, but this looks a bit fragile and
> >>>>> non-scalable. This may not work with the next version of compiler,
> >>>>> just different than yours version of compiler, clang, etc.
> >>>>
> >>>> My felling would be that this change makes it more solid.
> >>>>
> >>>> My understanding is that when you do *t = *s, the compiler can use
> >>>> whatever way it wants to do the copy.
> >>>> When you do memcpy(), you ensure it will do it that way and not another
> >>>> way, don't you ?
> >>>
> >>> It makes this single line more deterministic wrt code-gen (though,
> >>> strictly saying compiler can turn memcpy back into inlines
> >>> instructions, it knows memcpy semantics anyway).
> >>> But the problem I meant is that the set of places that are subject to
> >>> this problem is not deterministic. So if we go with this solution,
> >>> after this change it's in the status "works on your machine" and we
> >>> either need to commit to not using struct copies and zeroing
> >>> throughout kernel code or potentially have a long tail of other
> >>> similar cases, and since they can be triggered by another compiler
> >>> version, we may need to backport these changes to previous releases
> >>> too. Whereas if we would go with compiler flags, it would prevent the
> >>> problem in all current and future places and with other past/future
> >>> versions of compilers.
> >>>
> >>
> >> The patch will work for any compiler. The point of this patch is to make
> >> memcpy() visible to the preprocessor which will replace it with __memcpy().
> >
> > For this single line, yes. But it does not mean that KASAN will work.
> >
> >> After preprocessor's work, compiler will see just __memcpy() call here.
>
> This problem can affect any arch I believe. Maybe the 'solution' would
> be to run a generic script similar to
> arch/powerpc/kernel/prom_init_check.sh on all objects compiled with
> KASAN_SANITIZE_object.o := n don't include any reference to memcpy()
> memset() or memmove() ?


We do this when building user-space sanitizers runtime. There all code
always runs with sanitizer enabled, but at the same time must not be
instrumented. So we committed to changing all possible memcpy/memset
injection points and have a script that checks that we indeed have no
such calls at any paths. There problem is a bit simpler as we don't
have gazillion combinations of configs and the runtime is usually
self-hosted (as it is bundled with compiler), so we know what compiler
is used to build it. And that all is checked on CI.
I don't know how much work it is to do the same for kernel, though.
Adding -ffreestanding, if worked, looked like a cheap option to
achieve the same.

Another option is to insert checks into KASAN's memcpy/memset that at
least some early init has completed. If early init hasn't finished
yet, then they could skip all additional work besides just doing
memcpy/memset. We can't afford this for memory access instrumentation
for performance reasons, but it should be bearable for memcpy/memset.

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-15 17:23   ` Andrey Ryabinin
@ 2019-01-21  7:17     ` Christophe Leroy
  2019-01-21  8:30       ` Dmitry Vyukov
  2019-01-21 10:36     ` Christophe Leroy
  1 sibling, 1 reply; 19+ messages in thread
From: Christophe Leroy @ 2019-01-21  7:17 UTC (permalink / raw)
  To: Andrey Ryabinin, Benjamin Herrenschmidt, Paul Mackerras,
	Michael Ellerman, Nicholas Piggin, Aneesh Kumar K.V,
	Alexander Potapenko, Dmitry Vyukov
  Cc: linux-mm, linuxppc-dev, linux-kernel, kasan-dev



Le 15/01/2019 à 18:23, Andrey Ryabinin a écrit :
> 
> 
> On 1/12/19 2:16 PM, Christophe Leroy wrote:
> 
>> +KASAN_SANITIZE_early_32.o := n
>> +KASAN_SANITIZE_cputable.o := n
>> +KASAN_SANITIZE_prom_init.o := n
>> +
> 
> Usually it's also good idea to disable branch profiling - define DISABLE_BRANCH_PROFILING
> either in top of these files or via Makefile. Branch profiling redefines if() statement and calls
> instrumented ftrace_likely_update in every if().
> 
> 
> 
>> diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
>> new file mode 100644
>> index 000000000000..3edc9c2d2f3e
> 
>> +void __init kasan_init(void)
>> +{
>> +	struct memblock_region *reg;
>> +
>> +	for_each_memblock(memory, reg)
>> +		kasan_init_region(reg);
>> +
>> +	pr_info("KASAN init done\n");
> 
> Without "init_task.kasan_depth = 0;" kasan will not repot bugs.
> 
> There is test_kasan module. Make sure that it produce reports.
> 

Thanks for the review.

Now I get the following very early in boot, what does that mean ?

[    0.000000] KASAN init done
[    0.000000] 
==================================================================
[    0.000000] BUG: KASAN: unknown-crash in memblock_alloc_try_nid+0xd8/0xf0
[    0.000000] Write of size 68 at addr c7ff5a90 by task swapper/0
[    0.000000]
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce #772
[    0.000000] Call Trace:
[    0.000000] [c094ded0] [c016c7e4] 
print_address_description+0x1a0/0x2b8 (unreliable)
[    0.000000] [c094df00] [c016caa0] kasan_report+0xe4/0x168
[    0.000000] [c094df40] [c016b464] memset+0x2c/0x4c
[    0.000000] [c094df60] [c08731f0] memblock_alloc_try_nid+0xd8/0xf0
[    0.000000] [c094df90] [c0861f20] mmu_context_init+0x58/0xa0
[    0.000000] [c094dfb0] [c085ca70] start_kernel+0x54/0x400
[    0.000000] [c094dff0] [c0002258] start_here+0x44/0x9c
[    0.000000]
[    0.000000]
[    0.000000] Memory state around the buggy address:
[    0.000000]  c7ff5980: e2 a1 87 81 bd d4 a5 b5 f8 8d 89 e7 72 bc 20 24
[    0.000000]  c7ff5a00: e7 b9 c1 c7 17 e9 b4 bd a4 d0 e7 a0 11 15 a5 b5
[    0.000000] >c7ff5a80: b5 e1 83 a5 2d 65 31 3f f3 e5 a7 ef 34 b5 69 b5
[    0.000000]                  ^
[    0.000000]  c7ff5b00: 21 a5 c1 c1 b4 bf 2d e5 e5 c3 f5 91 e3 b8 a1 34
[    0.000000]  c7ff5b80: ad ef 23 87 3d a6 ad b5 c3 c3 80 b7 ac b1 1f 37
[    0.000000] 
==================================================================
[    0.000000] Disabling lock debugging due to kernel taint
[    0.000000] MMU: Allocated 76 bytes of context maps for 16 contexts
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 8176
[    0.000000] Kernel command line: console=ttyCPM0,115200N8 
ip=192.168.2.7:192.168.2.2::255.0.0.0:vgoip:eth0:off kgdboc=ttyCPM0
[    0.000000] Dentry cache hash table entries: 16384 (order: 2, 65536 
bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 1, 32768 bytes)
[    0.000000] Memory: 99904K/131072K available (7376K kernel code, 528K 
rwdata, 1168K rodata, 576K init, 4623K bss, 31168K reserved, 0K 
cma-reserved)
[    0.000000] Kernel virtual memory layout:
[    0.000000]   * 0xffefc000..0xffffc000  : fixmap
[    0.000000]   * 0xf7c00000..0xffc00000  : kasan shadow mem
[    0.000000]   * 0xf7a00000..0xf7c00000  : consistent mem
[    0.000000]   * 0xf7a00000..0xf7a00000  : early ioremap
[    0.000000]   * 0xc9000000..0xf7a00000  : vmalloc & ioremap


Christophe

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-21  7:17     ` Christophe Leroy
@ 2019-01-21  8:30       ` Dmitry Vyukov
  2019-01-21  8:37         ` Christophe Leroy
  0 siblings, 1 reply; 19+ messages in thread
From: Dmitry Vyukov @ 2019-01-21  8:30 UTC (permalink / raw)
  To: Christophe Leroy
  Cc: Aneesh Kumar K.V, LKML, Nicholas Piggin, Linux-MM,
	Paul Mackerras, kasan-dev, Andrey Ryabinin, Alexander Potapenko,
	linuxppc-dev

On Mon, Jan 21, 2019 at 8:17 AM Christophe Leroy
<christophe.leroy@c-s.fr> wrote:
>
>
>
> Le 15/01/2019 à 18:23, Andrey Ryabinin a écrit :
> >
> >
> > On 1/12/19 2:16 PM, Christophe Leroy wrote:
> >
> >> +KASAN_SANITIZE_early_32.o := n
> >> +KASAN_SANITIZE_cputable.o := n
> >> +KASAN_SANITIZE_prom_init.o := n
> >> +
> >
> > Usually it's also good idea to disable branch profiling - define DISABLE_BRANCH_PROFILING
> > either in top of these files or via Makefile. Branch profiling redefines if() statement and calls
> > instrumented ftrace_likely_update in every if().
> >
> >
> >
> >> diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
> >> new file mode 100644
> >> index 000000000000..3edc9c2d2f3e
> >
> >> +void __init kasan_init(void)
> >> +{
> >> +    struct memblock_region *reg;
> >> +
> >> +    for_each_memblock(memory, reg)
> >> +            kasan_init_region(reg);
> >> +
> >> +    pr_info("KASAN init done\n");
> >
> > Without "init_task.kasan_depth = 0;" kasan will not repot bugs.
> >
> > There is test_kasan module. Make sure that it produce reports.
> >
>
> Thanks for the review.
>
> Now I get the following very early in boot, what does that mean ?

This looks like an instrumented memset call before kasan shadow is
mapped, or kasan shadow is not zeros. Does this happen before or after
mapping of kasan_early_shadow_page?
This version seems to miss what x86 code has to clear the early shadow:

/*
* kasan_early_shadow_page has been used as early shadow memory, thus
* it may contain some garbage. Now we can clear and write protect it,
* since after the TLB flush no one should write to it.
*/
memset(kasan_early_shadow_page, 0, PAGE_SIZE);


> [    0.000000] KASAN init done
> [    0.000000]
> ==================================================================
> [    0.000000] BUG: KASAN: unknown-crash in memblock_alloc_try_nid+0xd8/0xf0
> [    0.000000] Write of size 68 at addr c7ff5a90 by task swapper/0
> [    0.000000]
> [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce #772
> [    0.000000] Call Trace:
> [    0.000000] [c094ded0] [c016c7e4]
> print_address_description+0x1a0/0x2b8 (unreliable)
> [    0.000000] [c094df00] [c016caa0] kasan_report+0xe4/0x168
> [    0.000000] [c094df40] [c016b464] memset+0x2c/0x4c
> [    0.000000] [c094df60] [c08731f0] memblock_alloc_try_nid+0xd8/0xf0
> [    0.000000] [c094df90] [c0861f20] mmu_context_init+0x58/0xa0
> [    0.000000] [c094dfb0] [c085ca70] start_kernel+0x54/0x400
> [    0.000000] [c094dff0] [c0002258] start_here+0x44/0x9c
> [    0.000000]
> [    0.000000]
> [    0.000000] Memory state around the buggy address:
> [    0.000000]  c7ff5980: e2 a1 87 81 bd d4 a5 b5 f8 8d 89 e7 72 bc 20 24
> [    0.000000]  c7ff5a00: e7 b9 c1 c7 17 e9 b4 bd a4 d0 e7 a0 11 15 a5 b5
> [    0.000000] >c7ff5a80: b5 e1 83 a5 2d 65 31 3f f3 e5 a7 ef 34 b5 69 b5
> [    0.000000]                  ^
> [    0.000000]  c7ff5b00: 21 a5 c1 c1 b4 bf 2d e5 e5 c3 f5 91 e3 b8 a1 34
> [    0.000000]  c7ff5b80: ad ef 23 87 3d a6 ad b5 c3 c3 80 b7 ac b1 1f 37
> [    0.000000]
> ==================================================================
> [    0.000000] Disabling lock debugging due to kernel taint
> [    0.000000] MMU: Allocated 76 bytes of context maps for 16 contexts
> [    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 8176
> [    0.000000] Kernel command line: console=ttyCPM0,115200N8
> ip=192.168.2.7:192.168.2.2::255.0.0.0:vgoip:eth0:off kgdboc=ttyCPM0
> [    0.000000] Dentry cache hash table entries: 16384 (order: 2, 65536
> bytes)
> [    0.000000] Inode-cache hash table entries: 8192 (order: 1, 32768 bytes)
> [    0.000000] Memory: 99904K/131072K available (7376K kernel code, 528K
> rwdata, 1168K rodata, 576K init, 4623K bss, 31168K reserved, 0K
> cma-reserved)
> [    0.000000] Kernel virtual memory layout:
> [    0.000000]   * 0xffefc000..0xffffc000  : fixmap
> [    0.000000]   * 0xf7c00000..0xffc00000  : kasan shadow mem
> [    0.000000]   * 0xf7a00000..0xf7c00000  : consistent mem
> [    0.000000]   * 0xf7a00000..0xf7a00000  : early ioremap
> [    0.000000]   * 0xc9000000..0xf7a00000  : vmalloc & ioremap
>
>
> Christophe

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-21  8:30       ` Dmitry Vyukov
@ 2019-01-21  8:37         ` Christophe Leroy
  2019-01-21  9:24           ` Dmitry Vyukov
  0 siblings, 1 reply; 19+ messages in thread
From: Christophe Leroy @ 2019-01-21  8:37 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: Aneesh Kumar K.V, LKML, Nicholas Piggin, Linux-MM,
	Paul Mackerras, kasan-dev, Andrey Ryabinin, Alexander Potapenko,
	linuxppc-dev



Le 21/01/2019 à 09:30, Dmitry Vyukov a écrit :
> On Mon, Jan 21, 2019 at 8:17 AM Christophe Leroy
> <christophe.leroy@c-s.fr> wrote:
>>
>>
>>
>> Le 15/01/2019 à 18:23, Andrey Ryabinin a écrit :
>>>
>>>
>>> On 1/12/19 2:16 PM, Christophe Leroy wrote:
>>>
>>>> +KASAN_SANITIZE_early_32.o := n
>>>> +KASAN_SANITIZE_cputable.o := n
>>>> +KASAN_SANITIZE_prom_init.o := n
>>>> +
>>>
>>> Usually it's also good idea to disable branch profiling - define DISABLE_BRANCH_PROFILING
>>> either in top of these files or via Makefile. Branch profiling redefines if() statement and calls
>>> instrumented ftrace_likely_update in every if().
>>>
>>>
>>>
>>>> diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
>>>> new file mode 100644
>>>> index 000000000000..3edc9c2d2f3e
>>>
>>>> +void __init kasan_init(void)
>>>> +{
>>>> +    struct memblock_region *reg;
>>>> +
>>>> +    for_each_memblock(memory, reg)
>>>> +            kasan_init_region(reg);
>>>> +
>>>> +    pr_info("KASAN init done\n");
>>>
>>> Without "init_task.kasan_depth = 0;" kasan will not repot bugs.
>>>
>>> There is test_kasan module. Make sure that it produce reports.
>>>
>>
>> Thanks for the review.
>>
>> Now I get the following very early in boot, what does that mean ?
> 
> This looks like an instrumented memset call before kasan shadow is
> mapped, or kasan shadow is not zeros. Does this happen before or after
> mapping of kasan_early_shadow_page?

This is after the mapping of kasan_early_shadow_page.

> This version seems to miss what x86 code has to clear the early shadow:
> 
> /*
> * kasan_early_shadow_page has been used as early shadow memory, thus
> * it may contain some garbage. Now we can clear and write protect it,
> * since after the TLB flush no one should write to it.
> */
> memset(kasan_early_shadow_page, 0, PAGE_SIZE);

In the early part, kasan_early_shadow_page is mapped read-only so I 
assumed this reset of its content was unneccessary.

I'll try with it.

Christophe

> 
> 
>> [    0.000000] KASAN init done
>> [    0.000000]
>> ==================================================================
>> [    0.000000] BUG: KASAN: unknown-crash in memblock_alloc_try_nid+0xd8/0xf0
>> [    0.000000] Write of size 68 at addr c7ff5a90 by task swapper/0
>> [    0.000000]
>> [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted
>> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce #772
>> [    0.000000] Call Trace:
>> [    0.000000] [c094ded0] [c016c7e4]
>> print_address_description+0x1a0/0x2b8 (unreliable)
>> [    0.000000] [c094df00] [c016caa0] kasan_report+0xe4/0x168
>> [    0.000000] [c094df40] [c016b464] memset+0x2c/0x4c
>> [    0.000000] [c094df60] [c08731f0] memblock_alloc_try_nid+0xd8/0xf0
>> [    0.000000] [c094df90] [c0861f20] mmu_context_init+0x58/0xa0
>> [    0.000000] [c094dfb0] [c085ca70] start_kernel+0x54/0x400
>> [    0.000000] [c094dff0] [c0002258] start_here+0x44/0x9c
>> [    0.000000]
>> [    0.000000]
>> [    0.000000] Memory state around the buggy address:
>> [    0.000000]  c7ff5980: e2 a1 87 81 bd d4 a5 b5 f8 8d 89 e7 72 bc 20 24
>> [    0.000000]  c7ff5a00: e7 b9 c1 c7 17 e9 b4 bd a4 d0 e7 a0 11 15 a5 b5
>> [    0.000000] >c7ff5a80: b5 e1 83 a5 2d 65 31 3f f3 e5 a7 ef 34 b5 69 b5
>> [    0.000000]                  ^
>> [    0.000000]  c7ff5b00: 21 a5 c1 c1 b4 bf 2d e5 e5 c3 f5 91 e3 b8 a1 34
>> [    0.000000]  c7ff5b80: ad ef 23 87 3d a6 ad b5 c3 c3 80 b7 ac b1 1f 37
>> [    0.000000]
>> ==================================================================
>> [    0.000000] Disabling lock debugging due to kernel taint
>> [    0.000000] MMU: Allocated 76 bytes of context maps for 16 contexts
>> [    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 8176
>> [    0.000000] Kernel command line: console=ttyCPM0,115200N8
>> ip=192.168.2.7:192.168.2.2::255.0.0.0:vgoip:eth0:off kgdboc=ttyCPM0
>> [    0.000000] Dentry cache hash table entries: 16384 (order: 2, 65536
>> bytes)
>> [    0.000000] Inode-cache hash table entries: 8192 (order: 1, 32768 bytes)
>> [    0.000000] Memory: 99904K/131072K available (7376K kernel code, 528K
>> rwdata, 1168K rodata, 576K init, 4623K bss, 31168K reserved, 0K
>> cma-reserved)
>> [    0.000000] Kernel virtual memory layout:
>> [    0.000000]   * 0xffefc000..0xffffc000  : fixmap
>> [    0.000000]   * 0xf7c00000..0xffc00000  : kasan shadow mem
>> [    0.000000]   * 0xf7a00000..0xf7c00000  : consistent mem
>> [    0.000000]   * 0xf7a00000..0xf7a00000  : early ioremap
>> [    0.000000]   * 0xc9000000..0xf7a00000  : vmalloc & ioremap
>>
>>
>> Christophe

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-21  8:37         ` Christophe Leroy
@ 2019-01-21  9:24           ` Dmitry Vyukov
  2019-01-21  9:30             ` Christophe Leroy
  0 siblings, 1 reply; 19+ messages in thread
From: Dmitry Vyukov @ 2019-01-21  9:24 UTC (permalink / raw)
  To: Christophe Leroy
  Cc: Aneesh Kumar K.V, LKML, Nicholas Piggin, Linux-MM,
	Paul Mackerras, kasan-dev, Andrey Ryabinin, Alexander Potapenko,
	linuxppc-dev

On Mon, Jan 21, 2019 at 9:37 AM Christophe Leroy
<christophe.leroy@c-s.fr> wrote:
>
>
>
> Le 21/01/2019 à 09:30, Dmitry Vyukov a écrit :
> > On Mon, Jan 21, 2019 at 8:17 AM Christophe Leroy
> > <christophe.leroy@c-s.fr> wrote:
> >>
> >>
> >>
> >> Le 15/01/2019 à 18:23, Andrey Ryabinin a écrit :
> >>>
> >>>
> >>> On 1/12/19 2:16 PM, Christophe Leroy wrote:
> >>>
> >>>> +KASAN_SANITIZE_early_32.o := n
> >>>> +KASAN_SANITIZE_cputable.o := n
> >>>> +KASAN_SANITIZE_prom_init.o := n
> >>>> +
> >>>
> >>> Usually it's also good idea to disable branch profiling - define DISABLE_BRANCH_PROFILING
> >>> either in top of these files or via Makefile. Branch profiling redefines if() statement and calls
> >>> instrumented ftrace_likely_update in every if().
> >>>
> >>>
> >>>
> >>>> diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
> >>>> new file mode 100644
> >>>> index 000000000000..3edc9c2d2f3e
> >>>
> >>>> +void __init kasan_init(void)
> >>>> +{
> >>>> +    struct memblock_region *reg;
> >>>> +
> >>>> +    for_each_memblock(memory, reg)
> >>>> +            kasan_init_region(reg);
> >>>> +
> >>>> +    pr_info("KASAN init done\n");
> >>>
> >>> Without "init_task.kasan_depth = 0;" kasan will not repot bugs.
> >>>
> >>> There is test_kasan module. Make sure that it produce reports.
> >>>
> >>
> >> Thanks for the review.
> >>
> >> Now I get the following very early in boot, what does that mean ?
> >
> > This looks like an instrumented memset call before kasan shadow is
> > mapped, or kasan shadow is not zeros. Does this happen before or after
> > mapping of kasan_early_shadow_page?
>
> This is after the mapping of kasan_early_shadow_page.
>
> > This version seems to miss what x86 code has to clear the early shadow:
> >
> > /*
> > * kasan_early_shadow_page has been used as early shadow memory, thus
> > * it may contain some garbage. Now we can clear and write protect it,
> > * since after the TLB flush no one should write to it.
> > */
> > memset(kasan_early_shadow_page, 0, PAGE_SIZE);
>
> In the early part, kasan_early_shadow_page is mapped read-only so I
> assumed this reset of its content was unneccessary.
>
> I'll try with it.
>
> Christophe

As far as I understand machine memory contains garbage after boot, and
that page needs to be all 0's so we need to explicitly memset it.


> >> [    0.000000] KASAN init done
> >> [    0.000000]
> >> ==================================================================
> >> [    0.000000] BUG: KASAN: unknown-crash in memblock_alloc_try_nid+0xd8/0xf0
> >> [    0.000000] Write of size 68 at addr c7ff5a90 by task swapper/0
> >> [    0.000000]
> >> [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted
> >> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce #772
> >> [    0.000000] Call Trace:
> >> [    0.000000] [c094ded0] [c016c7e4]
> >> print_address_description+0x1a0/0x2b8 (unreliable)
> >> [    0.000000] [c094df00] [c016caa0] kasan_report+0xe4/0x168
> >> [    0.000000] [c094df40] [c016b464] memset+0x2c/0x4c
> >> [    0.000000] [c094df60] [c08731f0] memblock_alloc_try_nid+0xd8/0xf0
> >> [    0.000000] [c094df90] [c0861f20] mmu_context_init+0x58/0xa0
> >> [    0.000000] [c094dfb0] [c085ca70] start_kernel+0x54/0x400
> >> [    0.000000] [c094dff0] [c0002258] start_here+0x44/0x9c
> >> [    0.000000]
> >> [    0.000000]
> >> [    0.000000] Memory state around the buggy address:
> >> [    0.000000]  c7ff5980: e2 a1 87 81 bd d4 a5 b5 f8 8d 89 e7 72 bc 20 24
> >> [    0.000000]  c7ff5a00: e7 b9 c1 c7 17 e9 b4 bd a4 d0 e7 a0 11 15 a5 b5
> >> [    0.000000] >c7ff5a80: b5 e1 83 a5 2d 65 31 3f f3 e5 a7 ef 34 b5 69 b5
> >> [    0.000000]                  ^
> >> [    0.000000]  c7ff5b00: 21 a5 c1 c1 b4 bf 2d e5 e5 c3 f5 91 e3 b8 a1 34
> >> [    0.000000]  c7ff5b80: ad ef 23 87 3d a6 ad b5 c3 c3 80 b7 ac b1 1f 37
> >> [    0.000000]
> >> ==================================================================
> >> [    0.000000] Disabling lock debugging due to kernel taint
> >> [    0.000000] MMU: Allocated 76 bytes of context maps for 16 contexts
> >> [    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 8176
> >> [    0.000000] Kernel command line: console=ttyCPM0,115200N8
> >> ip=192.168.2.7:192.168.2.2::255.0.0.0:vgoip:eth0:off kgdboc=ttyCPM0
> >> [    0.000000] Dentry cache hash table entries: 16384 (order: 2, 65536
> >> bytes)
> >> [    0.000000] Inode-cache hash table entries: 8192 (order: 1, 32768 bytes)
> >> [    0.000000] Memory: 99904K/131072K available (7376K kernel code, 528K
> >> rwdata, 1168K rodata, 576K init, 4623K bss, 31168K reserved, 0K
> >> cma-reserved)
> >> [    0.000000] Kernel virtual memory layout:
> >> [    0.000000]   * 0xffefc000..0xffffc000  : fixmap
> >> [    0.000000]   * 0xf7c00000..0xffc00000  : kasan shadow mem
> >> [    0.000000]   * 0xf7a00000..0xf7c00000  : consistent mem
> >> [    0.000000]   * 0xf7a00000..0xf7a00000  : early ioremap
> >> [    0.000000]   * 0xc9000000..0xf7a00000  : vmalloc & ioremap
> >>
> >>
> >> Christophe

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-21  9:24           ` Dmitry Vyukov
@ 2019-01-21  9:30             ` Christophe Leroy
  0 siblings, 0 replies; 19+ messages in thread
From: Christophe Leroy @ 2019-01-21  9:30 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: Aneesh Kumar K.V, LKML, Nicholas Piggin, Linux-MM,
	Paul Mackerras, kasan-dev, Andrey Ryabinin, Alexander Potapenko,
	linuxppc-dev



Le 21/01/2019 à 10:24, Dmitry Vyukov a écrit :
> On Mon, Jan 21, 2019 at 9:37 AM Christophe Leroy
> <christophe.leroy@c-s.fr> wrote:
>>
>>
>>
>> Le 21/01/2019 à 09:30, Dmitry Vyukov a écrit :
>>> On Mon, Jan 21, 2019 at 8:17 AM Christophe Leroy
>>> <christophe.leroy@c-s.fr> wrote:
>>>>
>>>>
>>>>
>>>> Le 15/01/2019 à 18:23, Andrey Ryabinin a écrit :
>>>>>
>>>>>
>>>>> On 1/12/19 2:16 PM, Christophe Leroy wrote:
>>>>>
>>>>>> +KASAN_SANITIZE_early_32.o := n
>>>>>> +KASAN_SANITIZE_cputable.o := n
>>>>>> +KASAN_SANITIZE_prom_init.o := n
>>>>>> +
>>>>>
>>>>> Usually it's also good idea to disable branch profiling - define DISABLE_BRANCH_PROFILING
>>>>> either in top of these files or via Makefile. Branch profiling redefines if() statement and calls
>>>>> instrumented ftrace_likely_update in every if().
>>>>>
>>>>>
>>>>>
>>>>>> diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
>>>>>> new file mode 100644
>>>>>> index 000000000000..3edc9c2d2f3e
>>>>>
>>>>>> +void __init kasan_init(void)
>>>>>> +{
>>>>>> +    struct memblock_region *reg;
>>>>>> +
>>>>>> +    for_each_memblock(memory, reg)
>>>>>> +            kasan_init_region(reg);
>>>>>> +
>>>>>> +    pr_info("KASAN init done\n");
>>>>>
>>>>> Without "init_task.kasan_depth = 0;" kasan will not repot bugs.
>>>>>
>>>>> There is test_kasan module. Make sure that it produce reports.
>>>>>
>>>>
>>>> Thanks for the review.
>>>>
>>>> Now I get the following very early in boot, what does that mean ?
>>>
>>> This looks like an instrumented memset call before kasan shadow is
>>> mapped, or kasan shadow is not zeros. Does this happen before or after
>>> mapping of kasan_early_shadow_page?
>>
>> This is after the mapping of kasan_early_shadow_page.
>>
>>> This version seems to miss what x86 code has to clear the early shadow:
>>>
>>> /*
>>> * kasan_early_shadow_page has been used as early shadow memory, thus
>>> * it may contain some garbage. Now we can clear and write protect it,
>>> * since after the TLB flush no one should write to it.
>>> */
>>> memset(kasan_early_shadow_page, 0, PAGE_SIZE);
>>
>> In the early part, kasan_early_shadow_page is mapped read-only so I
>> assumed this reset of its content was unneccessary.
>>
>> I'll try with it.
>>
>> Christophe
> 
> As far as I understand machine memory contains garbage after boot, and
> that page needs to be all 0's so we need to explicitly memset it.

That page is in BSS so it is zeroed before kasan_early_init().

Though as expected, that memset() doesn't fix the issue.

Indeed the problem is in kasan_init() : memblock_phys_alloc() doesn't 
zeroize the allocated memory. I changed it to memblock_alloc() and now 
it works.

Thanks for your help,
Christophe


> 
> 
>>>> [    0.000000] KASAN init done
>>>> [    0.000000]
>>>> ==================================================================
>>>> [    0.000000] BUG: KASAN: unknown-crash in memblock_alloc_try_nid+0xd8/0xf0
>>>> [    0.000000] Write of size 68 at addr c7ff5a90 by task swapper/0
>>>> [    0.000000]
>>>> [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted
>>>> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce #772
>>>> [    0.000000] Call Trace:
>>>> [    0.000000] [c094ded0] [c016c7e4]
>>>> print_address_description+0x1a0/0x2b8 (unreliable)
>>>> [    0.000000] [c094df00] [c016caa0] kasan_report+0xe4/0x168
>>>> [    0.000000] [c094df40] [c016b464] memset+0x2c/0x4c
>>>> [    0.000000] [c094df60] [c08731f0] memblock_alloc_try_nid+0xd8/0xf0
>>>> [    0.000000] [c094df90] [c0861f20] mmu_context_init+0x58/0xa0
>>>> [    0.000000] [c094dfb0] [c085ca70] start_kernel+0x54/0x400
>>>> [    0.000000] [c094dff0] [c0002258] start_here+0x44/0x9c
>>>> [    0.000000]
>>>> [    0.000000]
>>>> [    0.000000] Memory state around the buggy address:
>>>> [    0.000000]  c7ff5980: e2 a1 87 81 bd d4 a5 b5 f8 8d 89 e7 72 bc 20 24
>>>> [    0.000000]  c7ff5a00: e7 b9 c1 c7 17 e9 b4 bd a4 d0 e7 a0 11 15 a5 b5
>>>> [    0.000000] >c7ff5a80: b5 e1 83 a5 2d 65 31 3f f3 e5 a7 ef 34 b5 69 b5
>>>> [    0.000000]                  ^
>>>> [    0.000000]  c7ff5b00: 21 a5 c1 c1 b4 bf 2d e5 e5 c3 f5 91 e3 b8 a1 34
>>>> [    0.000000]  c7ff5b80: ad ef 23 87 3d a6 ad b5 c3 c3 80 b7 ac b1 1f 37
>>>> [    0.000000]
>>>> ==================================================================
>>>> [    0.000000] Disabling lock debugging due to kernel taint
>>>> [    0.000000] MMU: Allocated 76 bytes of context maps for 16 contexts
>>>> [    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 8176
>>>> [    0.000000] Kernel command line: console=ttyCPM0,115200N8
>>>> ip=192.168.2.7:192.168.2.2::255.0.0.0:vgoip:eth0:off kgdboc=ttyCPM0
>>>> [    0.000000] Dentry cache hash table entries: 16384 (order: 2, 65536
>>>> bytes)
>>>> [    0.000000] Inode-cache hash table entries: 8192 (order: 1, 32768 bytes)
>>>> [    0.000000] Memory: 99904K/131072K available (7376K kernel code, 528K
>>>> rwdata, 1168K rodata, 576K init, 4623K bss, 31168K reserved, 0K
>>>> cma-reserved)
>>>> [    0.000000] Kernel virtual memory layout:
>>>> [    0.000000]   * 0xffefc000..0xffffc000  : fixmap
>>>> [    0.000000]   * 0xf7c00000..0xffc00000  : kasan shadow mem
>>>> [    0.000000]   * 0xf7a00000..0xf7c00000  : consistent mem
>>>> [    0.000000]   * 0xf7a00000..0xf7a00000  : early ioremap
>>>> [    0.000000]   * 0xc9000000..0xf7a00000  : vmalloc & ioremap
>>>>
>>>>
>>>> Christophe

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-15 17:23   ` Andrey Ryabinin
  2019-01-21  7:17     ` Christophe Leroy
@ 2019-01-21 10:36     ` Christophe Leroy
  2019-01-21 12:33       ` Dmitry Vyukov
  1 sibling, 1 reply; 19+ messages in thread
From: Christophe Leroy @ 2019-01-21 10:36 UTC (permalink / raw)
  To: Andrey Ryabinin, Benjamin Herrenschmidt, Paul Mackerras,
	Michael Ellerman, Nicholas Piggin, Aneesh Kumar K.V,
	Alexander Potapenko, Dmitry Vyukov
  Cc: linux-mm, linuxppc-dev, linux-kernel, kasan-dev



Le 15/01/2019 à 18:23, Andrey Ryabinin a écrit :
> 
> 
> On 1/12/19 2:16 PM, Christophe Leroy wrote:
> 
>> +KASAN_SANITIZE_early_32.o := n
>> +KASAN_SANITIZE_cputable.o := n
>> +KASAN_SANITIZE_prom_init.o := n
>> +
> 
> Usually it's also good idea to disable branch profiling - define DISABLE_BRANCH_PROFILING
> either in top of these files or via Makefile. Branch profiling redefines if() statement and calls
> instrumented ftrace_likely_update in every if().
> 
> 
> 
>> diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
>> new file mode 100644
>> index 000000000000..3edc9c2d2f3e
> 
>> +void __init kasan_init(void)
>> +{
>> +	struct memblock_region *reg;
>> +
>> +	for_each_memblock(memory, reg)
>> +		kasan_init_region(reg);
>> +
>> +	pr_info("KASAN init done\n");
> 
> Without "init_task.kasan_depth = 0;" kasan will not repot bugs.
> 
> There is test_kasan module. Make sure that it produce reports.
> 

I get the following report with test_kasan module.

Could you have a look at it and tell if everything is as expected ?

Thanks
Christophe

[  667.298897] kasan test: kmalloc_oob_right out-of-bounds to right
[  667.299036] 
==================================================================
[  667.306263] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_right+0x74/0x94 [test_kasan]
[  667.313929] Write of size 1 at addr c53996fb by task exe/340
[  667.319451]
[  667.321021] CPU: 0 PID: 340 Comm: exe Not tainted 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  667.321072] Call Trace:
[  667.321248] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  667.321452] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  667.321741] [c5649ce0] [c95d41d4] kmalloc_oob_right+0x74/0x94 
[test_kasan]
[  667.322022] [c5649d00] [c95d5510] kmalloc_tests_init+0x18/0x2d0 
[test_kasan]
[  667.322214] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  667.322428] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  667.322630] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  667.322834] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  667.323027] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  667.323193] --- interrupt: c01 at 0xfd6b914
[  667.323193]     LR = 0x1001364c
[  667.323239]
[  667.324561] Allocated by task 340:
[  667.327993]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  667.328241]  kmalloc_oob_right+0x44/0x94 [test_kasan]
[  667.328477]  kmalloc_tests_init+0x18/0x2d0 [test_kasan]
[  667.328622]  do_one_initcall+0x40/0x278
[  667.328792]  do_init_module+0xcc/0x59c
[  667.328948]  load_module+0x2bc4/0x320c
[  667.329107]  sys_init_module+0x114/0x138
[  667.329250]  ret_from_syscall+0x0/0x38
[  667.329298]
[  667.330580] Freed by task 335:
[  667.333667]  __kasan_slab_free+0x120/0x22c
[  667.333788]  kfree+0x74/0x270
[  667.333950]  load_elf_binary+0xb0/0x162c
[  667.334129]  search_binary_handler+0x120/0x374
[  667.334297]  __do_execve_file+0x834/0xb20
[  667.334460]  sys_execve+0x40/0x54
[  667.334605]  ret_from_syscall+0x0/0x38
[  667.334652]
[  667.335954] The buggy address belongs to the object at c5399680
[  667.335954]  which belongs to the cache kmalloc-128 of size 128
[  667.347675] The buggy address is located 123 bytes inside of
[  667.347675]  128-byte region [c5399680, c5399700)
[  667.357847] The buggy address belongs to the page:
[  667.362634] page:c7fd9cc0 count:1 mapcount:0 mapping:c5007a80 index:0x0
[  667.362745] flags: 0x200(slab)
[  667.362973] raw: 00000200 00000100 00000200 c5007a80 00000000 
005500ab ffffffff 00000001
[  667.363043] page dumped because: kasan: bad access detected
[  667.363083]
[  667.364384] Memory state around the buggy address:
[  667.369190]  c5399580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  667.375645]  c5399600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  667.382099] >c5399680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03
[  667.388496]                                                         ^
[  667.394921]  c5399700: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  667.401377]  c5399780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  667.407767] 
==================================================================
[  667.414904] Disabling lock debugging due to kernel taint
[  667.421182] kasan test: kmalloc_oob_left out-of-bounds to left
[  667.421314] 
==================================================================
[  667.428466] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_left+0x74/0x9c [test_kasan]
[  667.436045] Read of size 1 at addr c58e9ddf by task exe/340
[  667.441483]
[  667.443064] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  667.443115] Call Trace:
[  667.443290] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  667.443492] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  667.443779] [c5649ce0] [c95d4268] kmalloc_oob_left+0x74/0x9c [test_kasan]
[  667.444057] [c5649d00] [c95d5514] kmalloc_tests_init+0x1c/0x2d0 
[test_kasan]
[  667.444246] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  667.444458] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  667.444658] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  667.444859] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  667.445051] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  667.445215] --- interrupt: c01 at 0xfd6b914
[  667.445215]     LR = 0x1001364c
[  667.445260]
[  667.446593] Allocated by task 340:
[  667.450025]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  667.450191]  do_init_module+0x2c/0x59c
[  667.450346]  load_module+0x2bc4/0x320c
[  667.450503]  sys_init_module+0x114/0x138
[  667.450645]  ret_from_syscall+0x0/0x38
[  667.450691]
[  667.452009] Freed by task 276:
[  667.455096]  __kasan_slab_free+0x120/0x22c
[  667.455214]  kfree+0x74/0x270
[  667.455344]  single_release+0x54/0x6c
[  667.455516]  close_pdeo+0x128/0x224
[  667.455680]  proc_reg_release+0x110/0x128
[  667.455811]  __fput+0xec/0x2d4
[  667.455934]  task_work_run+0x13c/0x15c
[  667.456101]  do_notify_resume+0x3d8/0x438
[  667.456248]  do_user_signal+0x2c/0x34
[  667.456294]
[  667.457641] The buggy address belongs to the object at c58e9dc0
[  667.457641]  which belongs to the cache kmalloc-16 of size 16
[  667.469191] The buggy address is located 15 bytes to the right of
[  667.469191]  16-byte region [c58e9dc0, c58e9dd0)
[  667.479708] The buggy address belongs to the page:
[  667.484495] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  667.484606] flags: 0x200(slab)
[  667.484833] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  667.484900] page dumped because: kasan: bad access detected
[  667.484940]
[  667.486244] Memory state around the buggy address:
[  667.491051]  c58e9c80: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[  667.497505]  c58e9d00: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[  667.503959] >c58e9d80: 00 00 fc fc 00 00 fc fc 00 04 fc fc 00 07 fc fc
[  667.510354]                                             ^
[  667.515748]  c58e9e00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  667.522204]  c58e9e80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  667.528595] 
==================================================================
[  667.803662] kasan test: kmalloc_node_oob_right kmalloc_node(): 
out-of-bounds to right
[  667.803806] 
==================================================================
[  667.811008] BUG: KASAN: slab-out-of-bounds in 
kmalloc_node_oob_right+0x74/0x94 [test_kasan]
[  667.819105] Write of size 1 at addr c59a4300 by task exe/340
[  667.824627]
[  667.826209] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  667.826260] Call Trace:
[  667.826436] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  667.826640] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  667.826931] [c5649ce0] [c95d4304] kmalloc_node_oob_right+0x74/0x94 
[test_kasan]
[  667.827211] [c5649d00] [c95d5518] kmalloc_tests_init+0x20/0x2d0 
[test_kasan]
[  667.827402] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  667.827616] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  667.827818] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  667.828022] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  667.828216] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  667.828382] --- interrupt: c01 at 0xfd6b914
[  667.828382]     LR = 0x1001364c
[  667.828428]
[  667.829737] Allocated by task 340:
[  667.833169]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  667.833420]  kmalloc_node_oob_right+0x44/0x94 [test_kasan]
[  667.833656]  kmalloc_tests_init+0x20/0x2d0 [test_kasan]
[  667.833801]  do_one_initcall+0x40/0x278
[  667.833970]  do_init_module+0xcc/0x59c
[  667.834125]  load_module+0x2bc4/0x320c
[  667.834284]  sys_init_module+0x114/0x138
[  667.834427]  ret_from_syscall+0x0/0x38
[  667.834475]
[  667.835756] Freed by task 319:
[  667.838843]  __kasan_slab_free+0x120/0x22c
[  667.838963]  kfree+0x74/0x270
[  667.839137]  kobject_uevent_env+0x15c/0x65c
[  667.839299]  led_trigger_set+0x3f0/0x4fc
[  667.839451]  led_trigger_store+0xd8/0x164
[  667.839593]  kernfs_fop_write+0x18c/0x218
[  667.839721]  __vfs_write+0x5c/0x258
[  667.839843]  vfs_write+0xe4/0x248
[  667.839966]  ksys_write+0x58/0xd8
[  667.840111]  ret_from_syscall+0x0/0x38
[  667.840158]
[  667.841475] The buggy address belongs to the object at c59a3300
[  667.841475]  which belongs to the cache kmalloc-4k of size 4096
[  667.853196] The buggy address is located 0 bytes to the right of
[  667.853196]  4096-byte region [c59a3300, c59a4300)
[  667.863798] The buggy address belongs to the page:
[  667.868586] page:c7fdcd00 count:1 mapcount:0 mapping:c50075a0 
index:0x0 compound_mapcount: 0
[  667.868727] flags: 0x10200(slab|head)
[  667.868956] raw: 00010200 00000100 00000200 c50075a0 00000000 
000f001f ffffffff 00000001
[  667.869025] page dumped because: kasan: bad access detected
[  667.869065]
[  667.870334] Memory state around the buggy address:
[  667.875141]  c59a4200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  667.881595]  c59a4280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  667.888049] >c59a4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  667.894436]            ^
[  667.896998]  c59a4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  667.903454]  c59a4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  667.909845] 
==================================================================
[  667.923434] kasan test: kmalloc_pagealloc_oob_right kmalloc pagealloc 
allocation: out-of-bounds to right
[  667.923647] 
==================================================================
[  667.930896] BUG: KASAN: slab-out-of-bounds in 
kmalloc_pagealloc_oob_right+0x78/0x98 [test_kasan]
[  667.939503] Write of size 1 at addr c5bd800a by task exe/340
[  667.945024]
[  667.946607] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  667.946657] Call Trace:
[  667.946833] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  667.947035] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  667.947325] [c5649ce0] [c95d4674] 
kmalloc_pagealloc_oob_right+0x78/0x98 [test_kasan]
[  667.947603] [c5649d00] [c95d551c] kmalloc_tests_init+0x24/0x2d0 
[test_kasan]
[  667.947792] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  667.948004] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  667.948204] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  667.948406] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  667.948597] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  667.948760] --- interrupt: c01 at 0xfd6b914
[  667.948760]     LR = 0x1001364c
[  667.948806]
[  667.950115] The buggy address belongs to the page:
[  667.954903] page:c7fdde80 count:1 mapcount:0 mapping:00000000 
index:0x0 compound_mapcount: 0
[  667.955038] flags: 0x10000(head)
[  667.955260] raw: 00010000 00000100 00000200 00000000 00000000 
00000000 ffffffff 00000001
[  667.955327] page dumped because: kasan: bad access detected
[  667.955367]
[  667.956652] Memory state around the buggy address:
[  667.961458]  c5bd7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  667.967912]  c5bd7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  667.974367] >c5bd8000: 00 02 fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  667.980755]               ^
[  667.983574]  c5bd8080: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  667.990030]  c5bd8100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  667.996420] 
==================================================================
[  668.222064] kasan test: kmalloc_pagealloc_uaf kmalloc pagealloc 
allocation: use-after-free
[  668.222349] 
==================================================================
[  668.229525] BUG: KASAN: use-after-free in 
kmalloc_pagealloc_uaf+0x78/0x94 [test_kasan]
[  668.237274] Write of size 1 at addr c5bd0000 by task exe/340
[  668.242796]
[  668.244378] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  668.244429] Call Trace:
[  668.244606] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  668.244810] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  668.245100] [c5649ce0] [c95d470c] kmalloc_pagealloc_uaf+0x78/0x94 
[test_kasan]
[  668.245381] [c5649d00] [c95d5520] kmalloc_tests_init+0x28/0x2d0 
[test_kasan]
[  668.245573] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  668.245787] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  668.245989] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  668.246192] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  668.246386] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  668.246552] --- interrupt: c01 at 0xfd6b914
[  668.246552]     LR = 0x1001364c
[  668.246598]
[  668.247886] The buggy address belongs to the page:
[  668.252671] page:c7fdde80 count:0 mapcount:-128 mapping:00000000 
index:0x0
[  668.252769] flags: 0x0()
[  668.252994] raw: 00000000 c7fdcf84 c0982ae8 00000000 00000000 
00000002 ffffff7f 00000000
[  668.253062] page dumped because: kasan: bad access detected
[  668.253102]
[  668.254337] Memory state around the buggy address:
[  668.259143]  c5bcff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  668.265597]  c5bcff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  668.272052] >c5bd0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  668.278439]            ^
[  668.281001]  c5bd0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  668.287458]  c5bd0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  668.293847] 
==================================================================
[  668.310744] kasan test: kmalloc_pagealloc_invalid_free kmalloc 
pagealloc allocation: invalid-free
[  668.310957] 
==================================================================
[  668.318156] BUG: KASAN: double-free or invalid-free in 
kmalloc_tests_init+0x2c/0x2d0 [test_kasan]
[  668.326705]
[  668.328286] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  668.328337] Call Trace:
[  668.328512] [c5649c80] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  668.328724] [c5649cb0] [c0176c24] kasan_report_invalid_free+0x48/0x74
[  668.328888] [c5649ce0] [c0173c14] kfree+0x1f8/0x270
[  668.329176] [c5649d00] [c95d5524] kmalloc_tests_init+0x2c/0x2d0 
[test_kasan]
[  668.329365] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  668.329577] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  668.329777] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  668.329978] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  668.330170] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  668.330334] --- interrupt: c01 at 0xfd6b914
[  668.330334]     LR = 0x1001364c
[  668.330379]
[  668.331622] The buggy address belongs to the page:
[  668.336410] page:c7fdde80 count:1 mapcount:0 mapping:00000000 
index:0x0 compound_mapcount: 0
[  668.336545] flags: 0x10000(head)
[  668.336767] raw: 00010000 00000100 00000200 00000000 00000000 
00000000 ffffffff 00000001
[  668.336834] page dumped because: kasan: bad access detected
[  668.336873]
[  668.338158] Memory state around the buggy address:
[  668.342965]  c5bcff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  668.349419]  c5bcff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  668.355874] >c5bd0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  668.362260]            ^
[  668.364822]  c5bd0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  668.371279]  c5bd0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  668.377668] 
==================================================================
[  668.528086] kasan test: kmalloc_large_oob_right kmalloc large 
allocation: out-of-bounds to right
[  668.528279] 
==================================================================
[  668.535471] BUG: KASAN: slab-out-of-bounds in 
kmalloc_large_oob_right+0x74/0x94 [test_kasan]
[  668.543735] Write of size 1 at addr c5498700 by task exe/340
[  668.549257]
[  668.550840] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  668.550891] Call Trace:
[  668.551068] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  668.551272] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  668.551561] [c5649ce0] [c95d4398] kmalloc_large_oob_right+0x74/0x94 
[test_kasan]
[  668.551842] [c5649d00] [c95d5528] kmalloc_tests_init+0x30/0x2d0 
[test_kasan]
[  668.552034] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  668.552248] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  668.552450] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  668.552655] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  668.552848] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  668.553013] --- interrupt: c01 at 0xfd6b914
[  668.553013]     LR = 0x1001364c
[  668.553059]
[  668.554367] Allocated by task 340:
[  668.557799]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  668.558049]  kmalloc_large_oob_right+0x44/0x94 [test_kasan]
[  668.558285]  kmalloc_tests_init+0x30/0x2d0 [test_kasan]
[  668.558430]  do_one_initcall+0x40/0x278
[  668.558599]  do_init_module+0xcc/0x59c
[  668.558756]  load_module+0x2bc4/0x320c
[  668.558915]  sys_init_module+0x114/0x138
[  668.559058]  ret_from_syscall+0x0/0x38
[  668.559106]
[  668.560386] Freed by task 173:
[  668.563473]  __kasan_slab_free+0x120/0x22c
[  668.563595]  kfree+0x74/0x270
[  668.563763]  consume_skb+0x38/0x138
[  668.563935]  skb_free_datagram+0x1c/0x80
[  668.564104]  netlink_recvmsg+0x1d0/0x4d4
[  668.564270]  ___sys_recvmsg+0xd8/0x194
[  668.564436]  __sys_recvmsg+0x40/0x8c
[  668.564563]  sys_socketcall+0xf8/0x210
[  668.564709]  ret_from_syscall+0x0/0x38
[  668.564756]
[  668.566106] The buggy address belongs to the object at c5490800
[  668.566106]  which belongs to the cache kmalloc-32k of size 32768
[  668.578000] The buggy address is located 32512 bytes inside of
[  668.578000]  32768-byte region [c5490800, c5498800)
[  668.588514] The buggy address belongs to the page:
[  668.593302] page:c7fda400 count:1 mapcount:0 mapping:c5007330 
index:0x0 compound_mapcount: 0
[  668.593443] flags: 0x10200(slab|head)
[  668.593672] raw: 00010200 00000100 00000200 c5007330 00000000 
00030007 ffffffff 00000001
[  668.593741] page dumped because: kasan: bad access detected
[  668.593781]
[  668.595051] Memory state around the buggy address:
[  668.599857]  c5498600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  668.606311]  c5498680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  668.612765] >c5498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  668.619152]            ^
[  668.621714]  c5498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  668.628171]  c5498800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  668.634561] 
==================================================================
[  668.645940] kasan test: kmalloc_oob_krealloc_more out-of-bounds after 
krealloc more
[  668.646103] 
==================================================================
[  668.653286] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_krealloc_more+0x8c/0xac [test_kasan]
[  668.661723] Write of size 1 at addr c53e8ca3 by task exe/340
[  668.667245]
[  668.668827] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  668.668877] Call Trace:
[  668.669052] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  668.669254] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  668.669543] [c5649ce0] [c95d4838] kmalloc_oob_krealloc_more+0x8c/0xac 
[test_kasan]
[  668.669823] [c5649d00] [c95d552c] kmalloc_tests_init+0x34/0x2d0 
[test_kasan]
[  668.670012] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  668.670225] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  668.670426] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  668.670627] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  668.670819] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  668.670982] --- interrupt: c01 at 0xfd6b914
[  668.670982]     LR = 0x1001364c
[  668.671027]
[  668.672354] Allocated by task 340:
[  668.675786]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  668.675935]  krealloc+0xb0/0xe8
[  668.676185]  kmalloc_oob_krealloc_more+0x58/0xac [test_kasan]
[  668.676419]  kmalloc_tests_init+0x34/0x2d0 [test_kasan]
[  668.676563]  do_one_initcall+0x40/0x278
[  668.676730]  do_init_module+0xcc/0x59c
[  668.676885]  load_module+0x2bc4/0x320c
[  668.677042]  sys_init_module+0x114/0x138
[  668.677185]  ret_from_syscall+0x0/0x38
[  668.677231]
[  668.678543] Freed by task 0:
[  668.681460]  __kasan_slab_free+0x120/0x22c
[  668.681579]  kfree+0x74/0x270
[  668.681726]  rcu_process_callbacks+0x384/0x620
[  668.681858]  __do_softirq+0x134/0x48c
[  668.681904]
[  668.683231] The buggy address belongs to the object at c53e8c90
[  668.683231]  which belongs to the cache kmalloc-32 of size 32
[  668.694778] The buggy address is located 19 bytes inside of
[  668.694778]  32-byte region [c53e8c90, c53e8cb0)
[  668.704780] The buggy address belongs to the page:
[  668.709568] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
[  668.709676] flags: 0x200(slab)
[  668.709903] raw: 00000200 00000100 00000200 c5007cf0 00000000 
015502ab ffffffff 00000001
[  668.709970] page dumped because: kasan: bad access detected
[  668.710010]
[  668.711317] Memory state around the buggy address:
[  668.716124]  c53e8b80: 00 fc fc fc 00 00 00 fc fc fc fb fb fb fb fc fc
[  668.722579]  c53e8c00: 00 00 00 04 fc fc 00 00 00 04 fc fc 00 00 00 00
[  668.729033] >c53e8c80: fc fc 00 00 03 fc fc fc 00 00 00 00 fc fc 00 00
[  668.735421]                        ^
[  668.739014]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
[  668.745470]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
[  668.751860] 
==================================================================
[  669.016775] kasan test: kmalloc_oob_krealloc_less out-of-bounds after 
krealloc less
[  669.016942] 
==================================================================
[  669.024120] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_krealloc_less+0x8c/0xac [test_kasan]
[  669.032474] Write of size 1 at addr c53e8bdf by task exe/340
[  669.037995]
[  669.039577] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  669.039628] Call Trace:
[  669.039803] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  669.040007] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  669.040299] [c5649ce0] [c95d48e4] kmalloc_oob_krealloc_less+0x8c/0xac 
[test_kasan]
[  669.040580] [c5649d00] [c95d5530] kmalloc_tests_init+0x38/0x2d0 
[test_kasan]
[  669.040771] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  669.040984] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  669.041187] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  669.041390] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  669.041584] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  669.041750] --- interrupt: c01 at 0xfd6b914
[  669.041750]     LR = 0x1001364c
[  669.041796]
[  669.043105] Allocated by task 340:
[  669.046537]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  669.046687]  krealloc+0xb0/0xe8
[  669.046940]  kmalloc_oob_krealloc_less+0x58/0xac [test_kasan]
[  669.047176]  kmalloc_tests_init+0x38/0x2d0 [test_kasan]
[  669.047321]  do_one_initcall+0x40/0x278
[  669.047491]  do_init_module+0xcc/0x59c
[  669.047648]  load_module+0x2bc4/0x320c
[  669.047806]  sys_init_module+0x114/0x138
[  669.047951]  ret_from_syscall+0x0/0x38
[  669.047998]
[  669.049294] Freed by task 0:
[  669.052211]  __kasan_slab_free+0x120/0x22c
[  669.052332]  kfree+0x74/0x270
[  669.052479]  rcu_process_callbacks+0x384/0x620
[  669.052612]  __do_softirq+0x134/0x48c
[  669.052659]
[  669.053981] The buggy address belongs to the object at c53e8bd0
[  669.053981]  which belongs to the cache kmalloc-32 of size 32
[  669.065529] The buggy address is located 15 bytes inside of
[  669.065529]  32-byte region [c53e8bd0, c53e8bf0)
[  669.075531] The buggy address belongs to the page:
[  669.080318] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
[  669.080428] flags: 0x200(slab)
[  669.080655] raw: 00000200 00000100 00000200 c5007cf0 00000000 
015502ab ffffffff 00000001
[  669.080724] page dumped because: kasan: bad access detected
[  669.080764]
[  669.082068] Memory state around the buggy address:
[  669.086874]  c53e8a80: 00 00 00 fc fc fc 00 00 00 fc fc fc 00 00 00 00
[  669.093328]  c53e8b00: fc fc 00 00 00 fc fc fc 00 00 00 fc fc fc 00 00
[  669.099783] >c53e8b80: 00 fc fc fc 00 00 00 fc fc fc 00 07 fc fc fc fc
[  669.106177]                                             ^
[  669.111572]  c53e8c00: 00 00 00 04 fc fc 00 00 00 04 fc fc 00 00 00 00
[  669.118028]  c53e8c80: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc 00 00
[  669.124418] 
==================================================================
[  669.137359] kasan test: kmalloc_oob_16 kmalloc out-of-bounds for 
16-bytes access
[  669.137538] 
==================================================================
[  669.144772] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_16+0x94/0xdc [test_kasan]
[  669.152181] Write of size 16 at addr c58eada0 by task exe/340
[  669.157790]
[  669.159371] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  669.159421] Call Trace:
[  669.159597] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  669.159799] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  669.160086] [c5649ce0] [c95d444c] kmalloc_oob_16+0x94/0xdc [test_kasan]
[  669.160365] [c5649d00] [c95d5534] kmalloc_tests_init+0x3c/0x2d0 
[test_kasan]
[  669.160554] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  669.160765] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  669.160966] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  669.161167] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  669.161360] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  669.161523] --- interrupt: c01 at 0xfd6b914
[  669.161523]     LR = 0x1001364c
[  669.161569]
[  669.162900] Allocated by task 340:
[  669.166332]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  669.166578]  kmalloc_oob_16+0x48/0xdc [test_kasan]
[  669.166812]  kmalloc_tests_init+0x3c/0x2d0 [test_kasan]
[  669.166955]  do_one_initcall+0x40/0x278
[  669.167121]  do_init_module+0xcc/0x59c
[  669.167275]  load_module+0x2bc4/0x320c
[  669.167432]  sys_init_module+0x114/0x138
[  669.167575]  ret_from_syscall+0x0/0x38
[  669.167620]
[  669.168919] Freed by task 338:
[  669.172004]  __kasan_slab_free+0x120/0x22c
[  669.172122]  kfree+0x74/0x270
[  669.172264]  walk_component+0x150/0x478
[  669.172399]  link_path_walk+0x374/0x63c
[  669.172535]  path_openat+0xe4/0x15f8
[  669.172674]  do_filp_open+0xd0/0x120
[  669.172843]  do_open_execat+0x64/0x264
[  669.173010]  __do_execve_file+0xa0c/0xb20
[  669.173172]  sys_execve+0x40/0x54
[  669.173318]  ret_from_syscall+0x0/0x38
[  669.173364]
[  669.174722] The buggy address belongs to the object at c58eada0
[  669.174722]  which belongs to the cache kmalloc-16 of size 16
[  669.186269] The buggy address is located 0 bytes inside of
[  669.186269]  16-byte region [c58eada0, c58eadb0)
[  669.196187] The buggy address belongs to the page:
[  669.200974] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  669.201083] flags: 0x200(slab)
[  669.201310] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  669.201378] page dumped because: kasan: bad access detected
[  669.201417]
[  669.202723] Memory state around the buggy address:
[  669.207530]  c58eac80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  669.213984]  c58ead00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  669.220438] >c58ead80: fb fb fc fc 00 05 fc fc 00 00 fc fc fb fb fc fc
[  669.226828]                           ^
[  669.230678]  c58eae00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  669.237134]  c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
[  669.243524] 
==================================================================
[  669.521937] kasan test: kmalloc_oob_in_memset out-of-bounds in memset
[  669.522086] 
==================================================================
[  669.529294] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_in_memset+0x78/0x90 [test_kasan]
[  669.537306] Write of size 671 at addr c5881b00 by task exe/340
[  669.543000]
[  669.544581] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  669.544632] Call Trace:
[  669.544808] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  669.545012] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  669.545186] [c5649cc0] [c0175700] memset+0x2c/0x4c
[  669.545477] [c5649ce0] [c95d497c] kmalloc_oob_in_memset+0x78/0x90 
[test_kasan]
[  669.545759] [c5649d00] [c95d5538] kmalloc_tests_init+0x40/0x2d0 
[test_kasan]
[  669.545949] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  669.546163] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  669.546366] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  669.546570] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  669.546764] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  669.546929] --- interrupt: c01 at 0xfd6b914
[  669.546929]     LR = 0x1001364c
[  669.546976]
[  669.548281] Allocated by task 340:
[  669.551713]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  669.551963]  kmalloc_oob_in_memset+0x44/0x90 [test_kasan]
[  669.552199]  kmalloc_tests_init+0x40/0x2d0 [test_kasan]
[  669.552346]  do_one_initcall+0x40/0x278
[  669.552515]  do_init_module+0xcc/0x59c
[  669.552672]  load_module+0x2bc4/0x320c
[  669.552831]  sys_init_module+0x114/0x138
[  669.552976]  ret_from_syscall+0x0/0x38
[  669.553023]
[  669.554300] Freed by task 131:
[  669.557387]  __kasan_slab_free+0x120/0x22c
[  669.557508]  kfree+0x74/0x270
[  669.557682]  pskb_expand_head+0x2b0/0x434
[  669.557843]  netlink_trim+0xfc/0x114
[  669.558009]  netlink_broadcast_filtered+0x48/0x530
[  669.558169]  nlmsg_notify+0x7c/0x128
[  669.558330]  fib6_add+0xd44/0x11d4
[  669.558461]  __ip6_ins_rt+0x5c/0x88
[  669.558598]  ip6_ins_rt+0x34/0x44
[  669.558777]  __ipv6_ifa_notify+0x388/0x38c
[  669.558945]  ipv6_ifa_notify+0x68/0x88
[  669.559076]  addrconf_dad_completed+0x54/0x49c
[  669.559201]  addrconf_dad_work+0x558/0x84c
[  669.559369]  process_one_work+0x408/0x78c
[  669.559524]  worker_thread+0xb4/0x83c
[  669.559657]  kthread+0x144/0x184
[  669.559811]  ret_from_kernel_thread+0x14/0x1c
[  669.559858]
[  669.561223] The buggy address belongs to the object at c5881b00
[  669.561223]  which belongs to the cache kmalloc-1k of size 1024
[  669.572943] The buggy address is located 0 bytes inside of
[  669.572943]  1024-byte region [c5881b00, c5881f00)
[  669.583031] The buggy address belongs to the page:
[  669.587818] page:c7fdc400 count:1 mapcount:0 mapping:c5007740 index:0x0
[  669.587929] flags: 0x200(slab)
[  669.588156] raw: 00000200 00000100 00000200 c5007740 00000000 
000e001d ffffffff 00000001
[  669.588225] page dumped because: kasan: bad access detected
[  669.588265]
[  669.589567] Memory state around the buggy address:
[  669.594374]  c5881c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  669.600828]  c5881d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  669.607282] >c5881d80: 00 00 00 02 fc fc fc fc fc fc fc fc fc fc fc fc
[  669.613671]                     ^
[  669.617005]  c5881e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  669.623462]  c5881e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  669.629852] 
==================================================================
[  669.643287] kasan test: kmalloc_oob_memset_2 out-of-bounds in memset2
[  669.643423] 
==================================================================
[  669.650641] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_memset_2+0x7c/0x94 [test_kasan]
[  669.658563] Write of size 2 at addr c58eae07 by task exe/340
[  669.664085]
[  669.665668] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  669.665718] Call Trace:
[  669.665891] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  669.666095] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  669.666267] [c5649cc0] [c0175700] memset+0x2c/0x4c
[  669.666556] [c5649ce0] [c95d4a10] kmalloc_oob_memset_2+0x7c/0x94 
[test_kasan]
[  669.666836] [c5649d00] [c95d553c] kmalloc_tests_init+0x44/0x2d0 
[test_kasan]
[  669.667026] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  669.667239] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  669.667440] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  669.667643] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  669.667836] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  669.668002] --- interrupt: c01 at 0xfd6b914
[  669.668002]     LR = 0x1001364c
[  669.668046]
[  669.669366] Allocated by task 340:
[  669.672799]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  669.673048]  kmalloc_oob_memset_2+0x44/0x94 [test_kasan]
[  669.673283]  kmalloc_tests_init+0x44/0x2d0 [test_kasan]
[  669.673426]  do_one_initcall+0x40/0x278
[  669.673594]  do_init_module+0xcc/0x59c
[  669.673750]  load_module+0x2bc4/0x320c
[  669.673909]  sys_init_module+0x114/0x138
[  669.674051]  ret_from_syscall+0x0/0x38
[  669.674098]
[  669.675387] Freed by task 276:
[  669.678473]  __kasan_slab_free+0x120/0x22c
[  669.678594]  kfree+0x74/0x270
[  669.678724]  single_release+0x54/0x6c
[  669.678897]  close_pdeo+0x128/0x224
[  669.679064]  proc_reg_release+0x110/0x128
[  669.679197]  __fput+0xec/0x2d4
[  669.679320]  task_work_run+0x13c/0x15c
[  669.679487]  do_notify_resume+0x3d8/0x438
[  669.679636]  do_user_signal+0x2c/0x34
[  669.679682]
[  669.681018] The buggy address belongs to the object at c58eae00
[  669.681018]  which belongs to the cache kmalloc-16 of size 16
[  669.692565] The buggy address is located 7 bytes inside of
[  669.692565]  16-byte region [c58eae00, c58eae10)
[  669.702482] The buggy address belongs to the page:
[  669.707268] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  669.707380] flags: 0x200(slab)
[  669.707607] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  669.707674] page dumped because: kasan: bad access detected
[  669.707713]
[  669.709018] Memory state around the buggy address:
[  669.713825]  c58ead00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  669.720279]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  669.726734] >c58eae00: 00 fc fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  669.733120]               ^
[  669.735941]  c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
[  669.742397]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  669.748787] 
==================================================================
[  670.056503] kasan test: kmalloc_oob_memset_4 out-of-bounds in memset4
[  670.056640] 
==================================================================
[  670.063818] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_memset_4+0x7c/0x94 [test_kasan]
[  670.071743] Write of size 4 at addr c58eae25 by task exe/340
[  670.077263]
[  670.078847] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  670.078898] Call Trace:
[  670.079074] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  670.079279] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  670.079452] [c5649cc0] [c0175700] memset+0x2c/0x4c
[  670.079743] [c5649ce0] [c95d4aa4] kmalloc_oob_memset_4+0x7c/0x94 
[test_kasan]
[  670.080025] [c5649d00] [c95d5540] kmalloc_tests_init+0x48/0x2d0 
[test_kasan]
[  670.080216] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  670.080431] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  670.080635] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  670.080839] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  670.081034] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  670.081201] --- interrupt: c01 at 0xfd6b914
[  670.081201]     LR = 0x1001364c
[  670.081247]
[  670.082546] Allocated by task 340:
[  670.085978]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  670.086229]  kmalloc_oob_memset_4+0x44/0x94 [test_kasan]
[  670.086465]  kmalloc_tests_init+0x48/0x2d0 [test_kasan]
[  670.086611]  do_one_initcall+0x40/0x278
[  670.086782]  do_init_module+0xcc/0x59c
[  670.086941]  load_module+0x2bc4/0x320c
[  670.087101]  sys_init_module+0x114/0x138
[  670.087246]  ret_from_syscall+0x0/0x38
[  670.087293]
[  670.088563] Freed by task 276:
[  670.091652]  __kasan_slab_free+0x120/0x22c
[  670.091774]  kfree+0x74/0x270
[  670.091906]  single_release+0x54/0x6c
[  670.092080]  close_pdeo+0x128/0x224
[  670.092249]  proc_reg_release+0x110/0x128
[  670.092383]  __fput+0xec/0x2d4
[  670.092509]  task_work_run+0x13c/0x15c
[  670.092678]  do_notify_resume+0x3d8/0x438
[  670.092828]  do_user_signal+0x2c/0x34
[  670.092874]
[  670.094198] The buggy address belongs to the object at c58eae20
[  670.094198]  which belongs to the cache kmalloc-16 of size 16
[  670.105743] The buggy address is located 5 bytes inside of
[  670.105743]  16-byte region [c58eae20, c58eae30)
[  670.115660] The buggy address belongs to the page:
[  670.120447] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  670.120560] flags: 0x200(slab)
[  670.120789] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  670.120858] page dumped because: kasan: bad access detected
[  670.120899]
[  670.122198] Memory state around the buggy address:
[  670.127004]  c58ead00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.133458]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.139912] >c58eae00: fb fb fc fc 00 fc fc fc fb fb fc fc fb fb fc fc
[  670.146302]                           ^
[  670.150152]  c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
[  670.156608]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.162998] 
==================================================================
[  670.176210] kasan test: kmalloc_oob_memset_8 out-of-bounds in memset8
[  670.176342] 
==================================================================
[  670.183528] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_memset_8+0x7c/0x94 [test_kasan]
[  670.191450] Write of size 8 at addr c58eae41 by task exe/340
[  670.196972]
[  670.198555] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  670.198605] Call Trace:
[  670.198779] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  670.198982] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  670.199153] [c5649cc0] [c0175700] memset+0x2c/0x4c
[  670.199443] [c5649ce0] [c95d4b38] kmalloc_oob_memset_8+0x7c/0x94 
[test_kasan]
[  670.199722] [c5649d00] [c95d5544] kmalloc_tests_init+0x4c/0x2d0 
[test_kasan]
[  670.199912] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  670.200125] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  670.200327] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  670.200530] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  670.200723] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  670.200887] --- interrupt: c01 at 0xfd6b914
[  670.200887]     LR = 0x1001364c
[  670.200931]
[  670.202255] Allocated by task 340:
[  670.205686]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  670.205934]  kmalloc_oob_memset_8+0x44/0x94 [test_kasan]
[  670.206168]  kmalloc_tests_init+0x4c/0x2d0 [test_kasan]
[  670.206312]  do_one_initcall+0x40/0x278
[  670.206480]  do_init_module+0xcc/0x59c
[  670.206637]  load_module+0x2bc4/0x320c
[  670.206794]  sys_init_module+0x114/0x138
[  670.206937]  ret_from_syscall+0x0/0x38
[  670.206983]
[  670.208274] Freed by task 276:
[  670.211360]  __kasan_slab_free+0x120/0x22c
[  670.211479]  kfree+0x74/0x270
[  670.211611]  single_release+0x54/0x6c
[  670.211782]  close_pdeo+0x128/0x224
[  670.211947]  proc_reg_release+0x110/0x128
[  670.212079]  __fput+0xec/0x2d4
[  670.212202]  task_work_run+0x13c/0x15c
[  670.212368]  do_notify_resume+0x3d8/0x438
[  670.212515]  do_user_signal+0x2c/0x34
[  670.212561]
[  670.213904] The buggy address belongs to the object at c58eae40
[  670.213904]  which belongs to the cache kmalloc-16 of size 16
[  670.225452] The buggy address is located 1 bytes inside of
[  670.225452]  16-byte region [c58eae40, c58eae50)
[  670.235368] The buggy address belongs to the page:
[  670.240155] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  670.240265] flags: 0x200(slab)
[  670.240493] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  670.240560] page dumped because: kasan: bad access detected
[  670.240599]
[  670.241906] Memory state around the buggy address:
[  670.246712]  c58ead00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.253167]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.259621] >c58eae00: fb fb fc fc fb fb fc fc 00 fc fc fc fb fb fc fc
[  670.266014]                                       ^
[  670.270894]  c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
[  670.277349]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.283740] 
==================================================================
[  670.574861] kasan test: kmalloc_oob_memset_16 out-of-bounds in memset16
[  670.574999] 
==================================================================
[  670.582162] BUG: KASAN: slab-out-of-bounds in 
kmalloc_oob_memset_16+0x7c/0x94 [test_kasan]
[  670.590260] Write of size 16 at addr c58eae81 by task exe/340
[  670.595865]
[  670.597448] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  670.597499] Call Trace:
[  670.597674] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  670.597880] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  670.598053] [c5649cc0] [c0175700] memset+0x2c/0x4c
[  670.598344] [c5649ce0] [c95d4bcc] kmalloc_oob_memset_16+0x7c/0x94 
[test_kasan]
[  670.598626] [c5649d00] [c95d5548] kmalloc_tests_init+0x50/0x2d0 
[test_kasan]
[  670.598816] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  670.599031] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  670.599234] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  670.599439] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  670.599634] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  670.599801] --- interrupt: c01 at 0xfd6b914
[  670.599801]     LR = 0x1001364c
[  670.599847]
[  670.601148] Allocated by task 340:
[  670.604580]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  670.604834]  kmalloc_oob_memset_16+0x44/0x94 [test_kasan]
[  670.605070]  kmalloc_tests_init+0x50/0x2d0 [test_kasan]
[  670.605215]  do_one_initcall+0x40/0x278
[  670.605385]  do_init_module+0xcc/0x59c
[  670.605543]  load_module+0x2bc4/0x320c
[  670.605704]  sys_init_module+0x114/0x138
[  670.605851]  ret_from_syscall+0x0/0x38
[  670.605897]
[  670.607166] Freed by task 276:
[  670.610253]  __kasan_slab_free+0x120/0x22c
[  670.610374]  kfree+0x74/0x270
[  670.610506]  single_release+0x54/0x6c
[  670.610681]  close_pdeo+0x128/0x224
[  670.610849]  proc_reg_release+0x110/0x128
[  670.610983]  __fput+0xec/0x2d4
[  670.611107]  task_work_run+0x13c/0x15c
[  670.611275]  do_notify_resume+0x3d8/0x438
[  670.611424]  do_user_signal+0x2c/0x34
[  670.611471]
[  670.612798] The buggy address belongs to the object at c58eae80
[  670.612798]  which belongs to the cache kmalloc-16 of size 16
[  670.624345] The buggy address is located 1 bytes inside of
[  670.624345]  16-byte region [c58eae80, c58eae90)
[  670.634260] The buggy address belongs to the page:
[  670.639048] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  670.639158] flags: 0x200(slab)
[  670.639387] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  670.639457] page dumped because: kasan: bad access detected
[  670.639497]
[  670.640799] Memory state around the buggy address:
[  670.645604]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.652058]  c58eae00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.658513] >c58eae80: 00 00 fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
[  670.664901]                  ^
[  670.667978]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.674434]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.680825] 
==================================================================
[  670.693766] kasan test: kmalloc_uaf use-after-free
[  670.693923] 
==================================================================
[  670.701091] BUG: KASAN: use-after-free in kmalloc_uaf+0x78/0x94 
[test_kasan]
[  670.707899] Write of size 1 at addr c58eaea8 by task exe/340
[  670.713422]
[  670.715004] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  670.715055] Call Trace:
[  670.715229] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  670.715433] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  670.715719] [c5649ce0] [c95d450c] kmalloc_uaf+0x78/0x94 [test_kasan]
[  670.715997] [c5649d00] [c95d554c] kmalloc_tests_init+0x54/0x2d0 
[test_kasan]
[  670.716187] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  670.716400] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  670.716601] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  670.716804] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  670.716998] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  670.717164] --- interrupt: c01 at 0xfd6b914
[  670.717164]     LR = 0x1001364c
[  670.717209]
[  670.718531] Allocated by task 340:
[  670.721965]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  670.722210]  kmalloc_uaf+0x44/0x94 [test_kasan]
[  670.722446]  kmalloc_tests_init+0x54/0x2d0 [test_kasan]
[  670.722588]  do_one_initcall+0x40/0x278
[  670.722756]  do_init_module+0xcc/0x59c
[  670.722912]  load_module+0x2bc4/0x320c
[  670.723069]  sys_init_module+0x114/0x138
[  670.723213]  ret_from_syscall+0x0/0x38
[  670.723260]
[  670.724550] Freed by task 340:
[  670.727635]  __kasan_slab_free+0x120/0x22c
[  670.727754]  kfree+0x74/0x270
[  670.727998]  kmalloc_uaf+0x70/0x94 [test_kasan]
[  670.728233]  kmalloc_tests_init+0x54/0x2d0 [test_kasan]
[  670.728375]  do_one_initcall+0x40/0x278
[  670.728543]  do_init_module+0xcc/0x59c
[  670.728698]  load_module+0x2bc4/0x320c
[  670.728855]  sys_init_module+0x114/0x138
[  670.728998]  ret_from_syscall+0x0/0x38
[  670.729044]
[  670.730356] The buggy address belongs to the object at c58eaea0
[  670.730356]  which belongs to the cache kmalloc-16 of size 16
[  670.741901] The buggy address is located 8 bytes inside of
[  670.741901]  16-byte region [c58eaea0, c58eaeb0)
[  670.751818] The buggy address belongs to the page:
[  670.756605] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  670.756716] flags: 0x200(slab)
[  670.756944] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  670.757012] page dumped because: kasan: bad access detected
[  670.757052]
[  670.758354] Memory state around the buggy address:
[  670.763163]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.769616]  c58eae00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.776070] >c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
[  670.782461]                           ^
[  670.786311]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.792765]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  670.799157] 
==================================================================
[  671.084949] kasan test: kmalloc_uaf_memset use-after-free in memset
[  671.085122] 
==================================================================
[  671.092328] BUG: KASAN: use-after-free in 
kmalloc_tests_init+0x58/0x2d0 [test_kasan]
[  671.099824] Write of size 33 at addr c534b0c0 by task exe/340
[  671.105430]
[  671.107012] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  671.107063] Call Trace:
[  671.107238] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  671.107443] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  671.107616] [c5649ce0] [c0175700] memset+0x2c/0x4c
[  671.107907] [c5649d00] [c95d5550] kmalloc_tests_init+0x58/0x2d0 
[test_kasan]
[  671.108098] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  671.108314] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  671.108518] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  671.108724] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  671.108918] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  671.109085] --- interrupt: c01 at 0xfd6b914
[  671.109085]     LR = 0x1001364c
[  671.109132]
[  671.110452] Allocated by task 340:
[  671.113886]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  671.114137]  kmalloc_uaf_memset+0x44/0x90 [test_kasan]
[  671.114374]  kmalloc_tests_init+0x58/0x2d0 [test_kasan]
[  671.114520]  do_one_initcall+0x40/0x278
[  671.114689]  do_init_module+0xcc/0x59c
[  671.114846]  load_module+0x2bc4/0x320c
[  671.115005]  sys_init_module+0x114/0x138
[  671.115151]  ret_from_syscall+0x0/0x38
[  671.115198]
[  671.116472] Freed by task 340:
[  671.119559]  __kasan_slab_free+0x120/0x22c
[  671.119681]  kfree+0x74/0x270
[  671.119927]  kmalloc_uaf_memset+0x70/0x90 [test_kasan]
[  671.120167]  kmalloc_tests_init+0x58/0x2d0 [test_kasan]
[  671.120312]  do_one_initcall+0x40/0x278
[  671.120481]  do_init_module+0xcc/0x59c
[  671.120640]  load_module+0x2bc4/0x320c
[  671.120801]  sys_init_module+0x114/0x138
[  671.120945]  ret_from_syscall+0x0/0x38
[  671.120992]
[  671.122276] The buggy address belongs to the object at c534b0c0
[  671.122276]  which belongs to the cache kmalloc-64 of size 64
[  671.133824] The buggy address is located 0 bytes inside of
[  671.133824]  64-byte region [c534b0c0, c534b100)
[  671.143741] The buggy address belongs to the page:
[  671.148527] page:c7fd9a40 count:1 mapcount:0 mapping:c5007c20 index:0x0
[  671.148637] flags: 0x200(slab)
[  671.148866] raw: 00000200 00000100 00000200 c5007c20 00000000 
00aa0155 ffffffff 00000001
[  671.148935] page dumped because: kasan: bad access detected
[  671.148975]
[  671.150277] Memory state around the buggy address:
[  671.155084]  c534af80: fc fc fc fc 00 00 00 00 04 fc fc fc fc fc fc fc
[  671.161538]  c534b000: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb
[  671.167993] >c534b080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
[  671.174383]                                    ^
[  671.179007]  c534b100: fc fc fc fc 00 00 00 00 04 fc fc fc fc fc fc fc
[  671.185461]  c534b180: 00 00 00 00 04 fc fc fc fc fc fc fc fb fb fb fb
[  671.191853] 
==================================================================
[  671.204460] kasan test: kmalloc_uaf2 use-after-free after another kmalloc
[  671.204676] 
==================================================================
[  671.211859] BUG: KASAN: use-after-free in kmalloc_uaf2+0x9c/0xd4 
[test_kasan]
[  671.218755] Write of size 1 at addr c534b088 by task exe/340
[  671.224277]
[  671.225860] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  671.225910] Call Trace:
[  671.226085] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  671.226288] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  671.226574] [c5649ce0] [c95d45c4] kmalloc_uaf2+0x9c/0xd4 [test_kasan]
[  671.226854] [c5649d00] [c95d5554] kmalloc_tests_init+0x5c/0x2d0 
[test_kasan]
[  671.227044] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  671.227257] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  671.227458] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  671.227659] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  671.227853] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  671.228018] --- interrupt: c01 at 0xfd6b914
[  671.228018]     LR = 0x1001364c
[  671.228063]
[  671.229387] Allocated by task 340:
[  671.232819]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  671.233065]  kmalloc_uaf2+0x48/0xd4 [test_kasan]
[  671.233299]  kmalloc_tests_init+0x5c/0x2d0 [test_kasan]
[  671.233442]  do_one_initcall+0x40/0x278
[  671.233609]  do_init_module+0xcc/0x59c
[  671.233765]  load_module+0x2bc4/0x320c
[  671.233922]  sys_init_module+0x114/0x138
[  671.234066]  ret_from_syscall+0x0/0x38
[  671.234111]
[  671.235407] Freed by task 340:
[  671.238491]  __kasan_slab_free+0x120/0x22c
[  671.238609]  kfree+0x74/0x270
[  671.238851]  kmalloc_uaf2+0x78/0xd4 [test_kasan]
[  671.239085]  kmalloc_tests_init+0x5c/0x2d0 [test_kasan]
[  671.239228]  do_one_initcall+0x40/0x278
[  671.239395]  do_init_module+0xcc/0x59c
[  671.239550]  load_module+0x2bc4/0x320c
[  671.239707]  sys_init_module+0x114/0x138
[  671.239850]  ret_from_syscall+0x0/0x38
[  671.239897]
[  671.241211] The buggy address belongs to the object at c534b060
[  671.241211]  which belongs to the cache kmalloc-64 of size 64
[  671.252758] The buggy address is located 40 bytes inside of
[  671.252758]  64-byte region [c534b060, c534b0a0)
[  671.262761] The buggy address belongs to the page:
[  671.267547] page:c7fd9a40 count:1 mapcount:0 mapping:c5007c20 index:0x0
[  671.267657] flags: 0x200(slab)
[  671.267885] raw: 00000200 00000100 00000200 c5007c20 00000000 
00aa0155 ffffffff 00000001
[  671.267953] page dumped because: kasan: bad access detected
[  671.267993]
[  671.269296] Memory state around the buggy address:
[  671.274104]  c534af80: fc fc fc fc 00 00 00 00 04 fc fc fc fc fc fc fc
[  671.280561]  c534b000: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb
[  671.287012] >c534b080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
[  671.293399]               ^
[  671.296220]  c534b100: fc fc fc fc 00 00 00 00 04 fc fc fc fc fc fc fc
[  671.302676]  c534b180: 00 00 00 00 04 fc fc fc fc fc fc fc fb fb fb fb
[  671.309066] 
==================================================================
[  671.597554] kasan test: kmem_cache_oob out-of-bounds in kmem_cache_alloc
[  671.597819] 
==================================================================
[  671.604991] BUG: KASAN: slab-out-of-bounds in 
kmem_cache_oob+0x9c/0xd0 [test_kasan]
[  671.612398] Read of size 1 at addr c5e180c8 by task exe/340
[  671.617834]
[  671.619417] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  671.619469] Call Trace:
[  671.619645] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  671.619848] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  671.620138] [c5649ce0] [c95d4d10] kmem_cache_oob+0x9c/0xd0 [test_kasan]
[  671.620420] [c5649d00] [c95d5558] kmalloc_tests_init+0x60/0x2d0 
[test_kasan]
[  671.620611] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  671.620826] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  671.621030] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  671.621234] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  671.621428] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  671.621596] --- interrupt: c01 at 0xfd6b914
[  671.621596]     LR = 0x1001364c
[  671.621642]
[  671.622944] Allocated by task 340:
[  671.626376]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  671.626504]  kmem_cache_alloc+0xf4/0x210
[  671.626752]  kmem_cache_oob+0x78/0xd0 [test_kasan]
[  671.626989]  kmalloc_tests_init+0x60/0x2d0 [test_kasan]
[  671.627135]  do_one_initcall+0x40/0x278
[  671.627305]  do_init_module+0xcc/0x59c
[  671.627463]  load_module+0x2bc4/0x320c
[  671.627623]  sys_init_module+0x114/0x138
[  671.627769]  ret_from_syscall+0x0/0x38
[  671.627816]
[  671.629132] Freed by task 0:
[  671.631954] (stack is not available)
[  671.635476]
[  671.637007] The buggy address belongs to the object at c5e18000
[  671.637007]  which belongs to the cache test_cache of size 200
[  671.648642] The buggy address is located 0 bytes to the right of
[  671.648642]  200-byte region [c5e18000, c5e180c8)
[  671.659156] The buggy address belongs to the page:
[  671.663942] page:c7fdf0c0 count:1 mapcount:0 mapping:c540a560 index:0x0
[  671.664054] flags: 0x200(slab)
[  671.664283] raw: 00000200 00000100 00000200 c540a560 00000000 
003e007d ffffffff 00000001
[  671.664353] page dumped because: kasan: bad access detected
[  671.664393]
[  671.665694] Memory state around the buggy address:
[  671.670501]  c5e17f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  671.676954]  c5e18000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  671.683409] >c5e18080: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[  671.689802]                                       ^
[  671.694680]  c5e18100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  671.701137]  c5e18180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  671.707528] 
==================================================================
[  671.758410] 
=============================================================================
[  671.766368] BUG test_cache (Tainted: G    B            ): Objects 
remaining in test_cache on __kmem_cache_shutdown()
[  671.776719] 
-----------------------------------------------------------------------------
[  671.776719]
[  671.786325] INFO: Slab 0x(ptrval) objects=62 used=1 fp=0x(ptrval) 
flags=0x0200
[  671.793514] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  671.793563] Call Trace:
[  671.793752] [c5649bf0] [c016ebe0] slab_err+0x98/0xac (unreliable)
[  671.793956] [c5649c90] [c01748f4] __kmem_cache_shutdown+0x15c/0x338
[  671.794160] [c5649cf0] [c013c3b4] kmem_cache_destroy+0x68/0x114
[  671.794463] [c5649d00] [c95d5558] kmalloc_tests_init+0x60/0x2d0 
[test_kasan]
[  671.794656] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  671.794868] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  671.795071] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  671.795275] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  671.795468] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  671.795633] --- interrupt: c01 at 0xfd6b914
[  671.795633]     LR = 0x1001364c
[  671.795738] INFO: Object 0x(ptrval) @offset=0
[  671.909762] kmem_cache_destroy test_cache: Slab cache still has objects
[  671.931546] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  671.931601] Call Trace:
[  671.931790] [c5649cf0] [c013c45c] kmem_cache_destroy+0x110/0x114 
(unreliable)
[  671.932116] [c5649d00] [c95d5558] kmalloc_tests_init+0x60/0x2d0 
[test_kasan]
[  671.932310] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  671.932526] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  671.932730] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  671.932934] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  671.933130] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  671.933300] --- interrupt: c01 at 0xfd6b914
[  671.933300]     LR = 0x1001364c
[  671.952750] kasan test: memcg_accounted_kmem_cache allocate memcg 
accounted object
[  672.556766] kasan test: kasan_stack_oob out-of-bounds on stack
[  672.556850] kasan test: kasan_global_oob out-of-bounds global variable
[  672.556922] kasan test: kasan_alloca_oob_left out-of-bounds to left 
on alloca
[  672.556995] kasan test: kasan_alloca_oob_right out-of-bounds to right 
on alloca
[  672.557070] kasan test: ksize_unpoisons_memory ksize() unpoisons the 
whole allocated chunk
[  672.557200] 
==================================================================
[  672.564395] BUG: KASAN: slab-out-of-bounds in 
ksize_unpoisons_memory+0x8c/0xac [test_kasan]
[  672.572578] Write of size 1 at addr c539ab40 by task exe/340
[  672.578098]
[  672.579682] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  672.579734] Call Trace:
[  672.579909] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  672.580114] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  672.580406] [c5649ce0] [c95d5100] ksize_unpoisons_memory+0x8c/0xac 
[test_kasan]
[  672.580689] [c5649d00] [c95d5570] kmalloc_tests_init+0x78/0x2d0 
[test_kasan]
[  672.580880] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  672.581096] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  672.581299] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  672.581503] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  672.581697] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  672.581864] --- interrupt: c01 at 0xfd6b914
[  672.581864]     LR = 0x1001364c
[  672.581910]
[  672.583208] Allocated by task 340:
[  672.586642]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  672.586892]  ksize_unpoisons_memory+0x44/0xac [test_kasan]
[  672.587129]  kmalloc_tests_init+0x78/0x2d0 [test_kasan]
[  672.587275]  do_one_initcall+0x40/0x278
[  672.587445]  do_init_module+0xcc/0x59c
[  672.587602]  load_module+0x2bc4/0x320c
[  672.587761]  sys_init_module+0x114/0x138
[  672.587906]  ret_from_syscall+0x0/0x38
[  672.587953]
[  672.589227] Freed by task 338:
[  672.592316]  __kasan_slab_free+0x120/0x22c
[  672.592437]  kfree+0x74/0x270
[  672.592602]  load_elf_binary+0xb0/0x162c
[  672.592782]  search_binary_handler+0x120/0x374
[  672.592950]  __do_execve_file+0x834/0xb20
[  672.593114]  sys_execve+0x40/0x54
[  672.593259]  ret_from_syscall+0x0/0x38
[  672.593307]
[  672.594603] The buggy address belongs to the object at c539aac0
[  672.594603]  which belongs to the cache kmalloc-128 of size 128
[  672.606324] The buggy address is located 0 bytes to the right of
[  672.606324]  128-byte region [c539aac0, c539ab40)
[  672.616840] The buggy address belongs to the page:
[  672.621625] page:c7fd9cc0 count:1 mapcount:0 mapping:c5007a80 index:0x0
[  672.621738] flags: 0x200(slab)
[  672.621967] raw: 00000200 00000100 00000200 c5007a80 00000000 
005500ab ffffffff 00000001
[  672.622038] page dumped because: kasan: bad access detected
[  672.622077]
[  672.623375] Memory state around the buggy address:
[  672.628183]  c539aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  672.634637]  c539aa80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[  672.641090] >c539ab00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  672.647483]                                    ^
[  672.652106]  c539ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  672.658562]  c539ac00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  672.664951] 
==================================================================
[  672.814421] kasan test: copy_user_test out-of-bounds in copy_from_user()
[  672.814499] 
==================================================================
[  672.821643] BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x48/0xc4
[  672.828089] Write of size 11 at addr c58eb020 by task exe/340
[  672.833699]
[  672.835280] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  672.835331] Call Trace:
[  672.835504] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  672.835708] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  672.835929] [c5649cc0] [c0307be0] _copy_from_user+0x48/0xc4
[  672.836230] [c5649ce0] [c95d51b4] copy_user_test+0x94/0x1bc [test_kasan]
[  672.836512] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0 
[test_kasan]
[  672.836703] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  672.836917] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  672.837121] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  672.837326] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  672.837522] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  672.837687] --- interrupt: c01 at 0xfd6b914
[  672.837687]     LR = 0x1001364c
[  672.837733]
[  672.839067] Allocated by task 340:
[  672.842500]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  672.842749]  copy_user_test+0x28/0x1bc [test_kasan]
[  672.842985]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
[  672.843131]  do_one_initcall+0x40/0x278
[  672.843301]  do_init_module+0xcc/0x59c
[  672.843458]  load_module+0x2bc4/0x320c
[  672.843619]  sys_init_module+0x114/0x138
[  672.843764]  ret_from_syscall+0x0/0x38
[  672.843812]
[  672.845085] Freed by task 276:
[  672.848173]  __kasan_slab_free+0x120/0x22c
[  672.848295]  kfree+0x74/0x270
[  672.848427]  single_release+0x54/0x6c
[  672.848601]  close_pdeo+0x128/0x224
[  672.848768]  proc_reg_release+0x110/0x128
[  672.848903]  __fput+0xec/0x2d4
[  672.849028]  task_work_run+0x13c/0x15c
[  672.849197]  do_notify_resume+0x3d8/0x438
[  672.849346]  do_user_signal+0x2c/0x34
[  672.849393]
[  672.850719] The buggy address belongs to the object at c58eb020
[  672.850719]  which belongs to the cache kmalloc-16 of size 16
[  672.862264] The buggy address is located 0 bytes inside of
[  672.862264]  16-byte region [c58eb020, c58eb030)
[  672.872182] The buggy address belongs to the page:
[  672.876968] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  672.877079] flags: 0x200(slab)
[  672.877309] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  672.877377] page dumped because: kasan: bad access detected
[  672.877418]
[  672.878717] Memory state around the buggy address:
[  672.883527]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[  672.889979]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  672.896433] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
[  672.902824]                           ^
[  672.906673]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  672.913129]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  672.919520] 
==================================================================
[  672.932289] kasan test: copy_user_test out-of-bounds in copy_to_user()
[  672.932363] 
==================================================================
[  672.939457] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x9c/0xbc
[  672.945733] Read of size 11 at addr c58eb020 by task exe/340
[  672.951255]
[  672.952840] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  672.952890] Call Trace:
[  672.953061] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  672.953264] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  672.953480] [c5649cc0] [c0307cf8] _copy_to_user+0x9c/0xbc
[  672.953781] [c5649ce0] [c95d51d4] copy_user_test+0xb4/0x1bc [test_kasan]
[  672.954060] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0 
[test_kasan]
[  672.954249] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  672.954461] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  672.954662] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  672.954866] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  672.955058] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  672.955224] --- interrupt: c01 at 0xfd6b914
[  672.955224]     LR = 0x1001364c
[  672.955269]
[  672.956538] Allocated by task 340:
[  672.959969]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  672.960219]  copy_user_test+0x28/0x1bc [test_kasan]
[  672.960454]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
[  672.960597]  do_one_initcall+0x40/0x278
[  672.960766]  do_init_module+0xcc/0x59c
[  672.960924]  load_module+0x2bc4/0x320c
[  672.961081]  sys_init_module+0x114/0x138
[  672.961226]  ret_from_syscall+0x0/0x38
[  672.961272]
[  672.962558] Freed by task 276:
[  672.965645]  __kasan_slab_free+0x120/0x22c
[  672.965764]  kfree+0x74/0x270
[  672.965896]  single_release+0x54/0x6c
[  672.966070]  close_pdeo+0x128/0x224
[  672.966236]  proc_reg_release+0x110/0x128
[  672.966369]  __fput+0xec/0x2d4
[  672.966493]  task_work_run+0x13c/0x15c
[  672.966660]  do_notify_resume+0x3d8/0x438
[  672.966809]  do_user_signal+0x2c/0x34
[  672.966855]
[  672.968190] The buggy address belongs to the object at c58eb020
[  672.968190]  which belongs to the cache kmalloc-16 of size 16
[  672.979735] The buggy address is located 0 bytes inside of
[  672.979735]  16-byte region [c58eb020, c58eb030)
[  672.989653] The buggy address belongs to the page:
[  672.994439] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  672.994550] flags: 0x200(slab)
[  672.994778] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  672.994845] page dumped because: kasan: bad access detected
[  672.994885]
[  672.996188] Memory state around the buggy address:
[  673.000996]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[  673.007450]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.013904] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
[  673.020295]                           ^
[  673.024144]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.030600]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.036990] 
==================================================================
[  673.327457] kasan test: copy_user_test out-of-bounds in 
__copy_from_user()
[  673.327537] 
==================================================================
[  673.334723] BUG: KASAN: slab-out-of-bounds in 
copy_user_test+0xd0/0x1bc [test_kasan]
[  673.342217] Write of size 11 at addr c58eb020 by task exe/340
[  673.347825]
[  673.349408] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  673.349459] Call Trace:
[  673.349637] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  673.349842] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  673.350130] [c5649ce0] [c95d51f0] copy_user_test+0xd0/0x1bc [test_kasan]
[  673.350412] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0 
[test_kasan]
[  673.350605] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  673.350821] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  673.351025] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  673.351231] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  673.351426] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  673.351592] --- interrupt: c01 at 0xfd6b914
[  673.351592]     LR = 0x1001364c
[  673.351638]
[  673.352936] Allocated by task 340:
[  673.356367]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  673.356619]  copy_user_test+0x28/0x1bc [test_kasan]
[  673.356855]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
[  673.357000]  do_one_initcall+0x40/0x278
[  673.357168]  do_init_module+0xcc/0x59c
[  673.357324]  load_module+0x2bc4/0x320c
[  673.357483]  sys_init_module+0x114/0x138
[  673.357626]  ret_from_syscall+0x0/0x38
[  673.357673]
[  673.358954] Freed by task 276:
[  673.362040]  __kasan_slab_free+0x120/0x22c
[  673.362161]  kfree+0x74/0x270
[  673.362293]  single_release+0x54/0x6c
[  673.362465]  close_pdeo+0x128/0x224
[  673.362632]  proc_reg_release+0x110/0x128
[  673.362764]  __fput+0xec/0x2d4
[  673.362888]  task_work_run+0x13c/0x15c
[  673.363057]  do_notify_resume+0x3d8/0x438
[  673.363208]  do_user_signal+0x2c/0x34
[  673.363256]
[  673.364587] The buggy address belongs to the object at c58eb020
[  673.364587]  which belongs to the cache kmalloc-16 of size 16
[  673.376132] The buggy address is located 0 bytes inside of
[  673.376132]  16-byte region [c58eb020, c58eb030)
[  673.386050] The buggy address belongs to the page:
[  673.390836] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  673.390947] flags: 0x200(slab)
[  673.391175] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  673.391245] page dumped because: kasan: bad access detected
[  673.391285]
[  673.392585] Memory state around the buggy address:
[  673.397393]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[  673.403847]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.410301] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
[  673.416691]                           ^
[  673.420541]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.426997]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.433387] 
==================================================================
[  673.446960] kasan test: copy_user_test out-of-bounds in __copy_to_user()
[  673.447031] 
==================================================================
[  673.454258] BUG: KASAN: slab-out-of-bounds in 
copy_user_test+0xfc/0x1bc [test_kasan]
[  673.461753] Read of size 11 at addr c58eb020 by task exe/340
[  673.467275]
[  673.468858] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  673.468909] Call Trace:
[  673.469084] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  673.469286] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  673.469573] [c5649ce0] [c95d521c] copy_user_test+0xfc/0x1bc [test_kasan]
[  673.469851] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0 
[test_kasan]
[  673.470042] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  673.470256] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  673.470457] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  673.470660] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  673.470853] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  673.471019] --- interrupt: c01 at 0xfd6b914
[  673.471019]     LR = 0x1001364c
[  673.471064]
[  673.472385] Allocated by task 340:
[  673.475818]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  673.476065]  copy_user_test+0x28/0x1bc [test_kasan]
[  673.476301]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
[  673.476444]  do_one_initcall+0x40/0x278
[  673.476612]  do_init_module+0xcc/0x59c
[  673.476768]  load_module+0x2bc4/0x320c
[  673.476925]  sys_init_module+0x114/0x138
[  673.477067]  ret_from_syscall+0x0/0x38
[  673.477113]
[  673.478403] Freed by task 276:
[  673.481490]  __kasan_slab_free+0x120/0x22c
[  673.481610]  kfree+0x74/0x270
[  673.481740]  single_release+0x54/0x6c
[  673.481911]  close_pdeo+0x128/0x224
[  673.482077]  proc_reg_release+0x110/0x128
[  673.482209]  __fput+0xec/0x2d4
[  673.482331]  task_work_run+0x13c/0x15c
[  673.482500]  do_notify_resume+0x3d8/0x438
[  673.482648]  do_user_signal+0x2c/0x34
[  673.482694]
[  673.484036] The buggy address belongs to the object at c58eb020
[  673.484036]  which belongs to the cache kmalloc-16 of size 16
[  673.495583] The buggy address is located 0 bytes inside of
[  673.495583]  16-byte region [c58eb020, c58eb030)
[  673.505500] The buggy address belongs to the page:
[  673.510287] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  673.510396] flags: 0x200(slab)
[  673.510622] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  673.510690] page dumped because: kasan: bad access detected
[  673.510729]
[  673.512037] Memory state around the buggy address:
[  673.516842]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[  673.523297]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.529751] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
[  673.536142]                           ^
[  673.539991]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.546447]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.552838] 
==================================================================
[  673.835827] kasan test: copy_user_test out-of-bounds in 
__copy_from_user_inatomic()
[  673.835905] 
==================================================================
[  673.843082] BUG: KASAN: slab-out-of-bounds in 
copy_user_test+0x128/0x1bc [test_kasan]
[  673.850662] Write of size 11 at addr c58eb020 by task exe/340
[  673.856272]
[  673.857853] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  673.857905] Call Trace:
[  673.858080] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  673.858285] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  673.858574] [c5649ce0] [c95d5248] copy_user_test+0x128/0x1bc [test_kasan]
[  673.858855] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0 
[test_kasan]
[  673.859046] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  673.859261] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  673.859463] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  673.859668] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  673.859863] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  673.860029] --- interrupt: c01 at 0xfd6b914
[  673.860029]     LR = 0x1001364c
[  673.860075]
[  673.861380] Allocated by task 340:
[  673.864812]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  673.865062]  copy_user_test+0x28/0x1bc [test_kasan]
[  673.865299]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
[  673.865444]  do_one_initcall+0x40/0x278
[  673.865615]  do_init_module+0xcc/0x59c
[  673.865773]  load_module+0x2bc4/0x320c
[  673.865932]  sys_init_module+0x114/0x138
[  673.866077]  ret_from_syscall+0x0/0x38
[  673.866123]
[  673.867399] Freed by task 276:
[  673.870488]  __kasan_slab_free+0x120/0x22c
[  673.870609]  kfree+0x74/0x270
[  673.870741]  single_release+0x54/0x6c
[  673.870913]  close_pdeo+0x128/0x224
[  673.871080]  proc_reg_release+0x110/0x128
[  673.871213]  __fput+0xec/0x2d4
[  673.871337]  task_work_run+0x13c/0x15c
[  673.871506]  do_notify_resume+0x3d8/0x438
[  673.871655]  do_user_signal+0x2c/0x34
[  673.871702]
[  673.873032] The buggy address belongs to the object at c58eb020
[  673.873032]  which belongs to the cache kmalloc-16 of size 16
[  673.884578] The buggy address is located 0 bytes inside of
[  673.884578]  16-byte region [c58eb020, c58eb030)
[  673.894494] The buggy address belongs to the page:
[  673.899282] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  673.899395] flags: 0x200(slab)
[  673.899625] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  673.899694] page dumped because: kasan: bad access detected
[  673.899734]
[  673.901033] Memory state around the buggy address:
[  673.905838]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[  673.912293]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.918748] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
[  673.925136]                           ^
[  673.928987]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.935442]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  673.941833] 
==================================================================
[  673.954463] kasan test: copy_user_test out-of-bounds in 
__copy_to_user_inatomic()
[  673.954535] 
==================================================================
[  673.961759] BUG: KASAN: slab-out-of-bounds in 
copy_user_test+0x154/0x1bc [test_kasan]
[  673.969339] Read of size 11 at addr c58eb020 by task exe/340
[  673.974860]
[  673.976444] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  673.976494] Call Trace:
[  673.976668] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  673.976870] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  673.977160] [c5649ce0] [c95d5274] copy_user_test+0x154/0x1bc [test_kasan]
[  673.977439] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0 
[test_kasan]
[  673.977630] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  673.977843] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  673.978045] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  673.978249] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  673.978441] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  673.978607] --- interrupt: c01 at 0xfd6b914
[  673.978607]     LR = 0x1001364c
[  673.978651]
[  673.979971] Allocated by task 340:
[  673.983401]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  673.983650]  copy_user_test+0x28/0x1bc [test_kasan]
[  673.983885]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
[  673.984030]  do_one_initcall+0x40/0x278
[  673.984198]  do_init_module+0xcc/0x59c
[  673.984354]  load_module+0x2bc4/0x320c
[  673.984512]  sys_init_module+0x114/0x138
[  673.984655]  ret_from_syscall+0x0/0x38
[  673.984701]
[  673.985990] Freed by task 276:
[  673.989077]  __kasan_slab_free+0x120/0x22c
[  673.989197]  kfree+0x74/0x270
[  673.989327]  single_release+0x54/0x6c
[  673.989499]  close_pdeo+0x128/0x224
[  673.989664]  proc_reg_release+0x110/0x128
[  673.989796]  __fput+0xec/0x2d4
[  673.989918]  task_work_run+0x13c/0x15c
[  673.990086]  do_notify_resume+0x3d8/0x438
[  673.990235]  do_user_signal+0x2c/0x34
[  673.990281]
[  673.991622] The buggy address belongs to the object at c58eb020
[  673.991622]  which belongs to the cache kmalloc-16 of size 16
[  674.003168] The buggy address is located 0 bytes inside of
[  674.003168]  16-byte region [c58eb020, c58eb030)
[  674.013086] The buggy address belongs to the page:
[  674.017872] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  674.017982] flags: 0x200(slab)
[  674.018210] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  674.018277] page dumped because: kasan: bad access detected
[  674.018316]
[  674.019622] Memory state around the buggy address:
[  674.024429]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[  674.030883]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  674.037338] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
[  674.043727]                           ^
[  674.047578]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  674.054034]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  674.060424] 
==================================================================
[  674.346609] kasan test: copy_user_test out-of-bounds in 
strncpy_from_user()
[  674.346689] 
==================================================================
[  674.353778] BUG: KASAN: slab-out-of-bounds in 
strncpy_from_user+0x48/0x240
[  674.360487] Write of size 11 at addr c58eb020 by task exe/340
[  674.366094]
[  674.367678] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  674.367731] Call Trace:
[  674.367904] [c5649c40] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  674.368108] [c5649c70] [c0176d34] kasan_report+0xe4/0x168
[  674.368323] [c5649cb0] [c03202f8] strncpy_from_user+0x48/0x240
[  674.368627] [c5649ce0] [c95d52a4] copy_user_test+0x184/0x1bc [test_kasan]
[  674.368908] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0 
[test_kasan]
[  674.369100] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  674.369315] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  674.369518] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  674.369724] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  674.369919] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  674.370086] --- interrupt: c01 at 0xfd6b914
[  674.370086]     LR = 0x1001364c
[  674.370132]
[  674.371463] Allocated by task 340:
[  674.374894]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  674.375146]  copy_user_test+0x28/0x1bc [test_kasan]
[  674.375383]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
[  674.375527]  do_one_initcall+0x40/0x278
[  674.375697]  do_init_module+0xcc/0x59c
[  674.375854]  load_module+0x2bc4/0x320c
[  674.376015]  sys_init_module+0x114/0x138
[  674.376162]  ret_from_syscall+0x0/0x38
[  674.376209]
[  674.377481] Freed by task 276:
[  674.380568]  __kasan_slab_free+0x120/0x22c
[  674.380691]  kfree+0x74/0x270
[  674.380824]  single_release+0x54/0x6c
[  674.380998]  close_pdeo+0x128/0x224
[  674.381165]  proc_reg_release+0x110/0x128
[  674.381299]  __fput+0xec/0x2d4
[  674.381424]  task_work_run+0x13c/0x15c
[  674.381592]  do_notify_resume+0x3d8/0x438
[  674.381743]  do_user_signal+0x2c/0x34
[  674.381792]
[  674.383113] The buggy address belongs to the object at c58eb020
[  674.383113]  which belongs to the cache kmalloc-16 of size 16
[  674.394659] The buggy address is located 0 bytes inside of
[  674.394659]  16-byte region [c58eb020, c58eb030)
[  674.404577] The buggy address belongs to the page:
[  674.409363] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
[  674.409474] flags: 0x200(slab)
[  674.409703] raw: 00000200 00000100 00000200 c5007dc0 00000000 
02000401 ffffffff 00000001
[  674.409772] page dumped because: kasan: bad access detected
[  674.409812]
[  674.411112] Memory state around the buggy address:
[  674.415920]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[  674.422374]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  674.428827] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
[  674.435218]                           ^
[  674.439067]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  674.445524]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  674.451914] 
==================================================================
[  674.466513] kasan test: use_after_scope_test use-after-scope on int
[  674.466592] kasan test: use_after_scope_test use-after-scope on array
[  674.470775] kasan test: kmem_cache_double_free double-free on heap object
[  674.471059] 
==================================================================
[  674.478286] BUG: KASAN: double-free or invalid-free in 
kmem_cache_double_free+0xac/0xc4 [test_kasan]
[  674.487095]
[  674.488679] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  674.488730] Call Trace:
[  674.488906] [c5649b30] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  674.489118] [c5649b60] [c0176c24] kasan_report_invalid_free+0x48/0x74
[  674.489296] [c5649b90] [c0175620] __kasan_slab_free+0x198/0x22c
[  674.489467] [c5649cc0] [c0173838] kmem_cache_free+0x64/0x228
[  674.489754] [c5649ce0] [c95d4df0] kmem_cache_double_free+0xac/0xc4 
[test_kasan]
[  674.490029] [c5649d00] [c95d557c] kmalloc_tests_init+0x84/0x2d0 
[test_kasan]
[  674.490219] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  674.490432] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  674.490633] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  674.490837] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  674.491031] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  674.491194] --- interrupt: c01 at 0xfd6b914
[  674.491194]     LR = 0x1001364c
[  674.491239]
[  674.492547] Allocated by task 340:
[  674.495981]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  674.496108]  kmem_cache_alloc+0xf4/0x210
[  674.496355]  kmem_cache_double_free+0x78/0xc4 [test_kasan]
[  674.496584]  kmalloc_tests_init+0x84/0x2d0 [test_kasan]
[  674.496727]  do_one_initcall+0x40/0x278
[  674.496893]  do_init_module+0xcc/0x59c
[  674.497050]  load_module+0x2bc4/0x320c
[  674.497208]  sys_init_module+0x114/0x138
[  674.497354]  ret_from_syscall+0x0/0x38
[  674.497400]
[  674.498652] Freed by task 340:
[  674.501739]  __kasan_slab_free+0x120/0x22c
[  674.501866]  kmem_cache_free+0x64/0x228
[  674.502112]  kmem_cache_double_free+0xa0/0xc4 [test_kasan]
[  674.502340]  kmalloc_tests_init+0x84/0x2d0 [test_kasan]
[  674.502483]  do_one_initcall+0x40/0x278
[  674.502650]  do_init_module+0xcc/0x59c
[  674.502807]  load_module+0x2bc4/0x320c
[  674.502966]  sys_init_module+0x114/0x138
[  674.503112]  ret_from_syscall+0x0/0x38
[  674.503158]
[  674.504460] The buggy address belongs to the object at c5528000
[  674.504460]  which belongs to the cache test_cache of size 200
[  674.516091] The buggy address is located 0 bytes inside of
[  674.516091]  200-byte region [c5528000, c55280c8)
[  674.526092] The buggy address belongs to the page:
[  674.530877] page:c7fda940 count:1 mapcount:0 mapping:c540a700 index:0x0
[  674.530988] flags: 0x200(slab)
[  674.531216] raw: 00000200 00000100 00000200 c540a700 00000000 
003e007d ffffffff 00000001
[  674.531284] page dumped because: kasan: bad access detected
[  674.531323]
[  674.532630] Memory state around the buggy address:
[  674.537436]  c5527f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  674.543890]  c5527f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  674.550345] >c5528000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  674.556731]            ^
[  674.559293]  c5528080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[  674.565750]  c5528100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  674.572138] 
==================================================================
[  674.880790] kasan test: kmem_cache_invalid_free invalid-free of heap 
object
[  674.881044] 
==================================================================
[  674.888197] BUG: KASAN: double-free or invalid-free in 
kmem_cache_invalid_free+0xa0/0xc4 [test_kasan]
[  674.897089]
[  674.898670] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  674.898722] Call Trace:
[  674.898899] [c5649b30] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  674.899113] [c5649b60] [c0176c24] kasan_report_invalid_free+0x48/0x74
[  674.899293] [c5649b90] [c0175620] __kasan_slab_free+0x198/0x22c
[  674.899467] [c5649cc0] [c0173838] kmem_cache_free+0x64/0x228
[  674.899756] [c5649ce0] [c95d4ea8] kmem_cache_invalid_free+0xa0/0xc4 
[test_kasan]
[  674.900031] [c5649d00] [c95d5580] kmalloc_tests_init+0x88/0x2d0 
[test_kasan]
[  674.900222] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  674.900437] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  674.900639] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  674.900845] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  674.901040] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  674.901206] --- interrupt: c01 at 0xfd6b914
[  674.901206]     LR = 0x1001364c
[  674.901251]
[  674.902542] Allocated by task 340:
[  674.905975]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  674.906103]  kmem_cache_alloc+0xf4/0x210
[  674.906351]  kmem_cache_invalid_free+0x78/0xc4 [test_kasan]
[  674.906584]  kmalloc_tests_init+0x88/0x2d0 [test_kasan]
[  674.906730]  do_one_initcall+0x40/0x278
[  674.906899]  do_init_module+0xcc/0x59c
[  674.907056]  load_module+0x2bc4/0x320c
[  674.907217]  sys_init_module+0x114/0x138
[  674.907364]  ret_from_syscall+0x0/0x38
[  674.907411]
[  674.908731] Freed by task 0:
[  674.911551] (stack is not available)
[  674.915074]
[  674.916605] The buggy address belongs to the object at c5528000
[  674.916605]  which belongs to the cache test_cache of size 200
[  674.928237] The buggy address is located 1 bytes inside of
[  674.928237]  200-byte region [c5528000, c55280c8)
[  674.938237] The buggy address belongs to the page:
[  674.943024] page:c7fda940 count:1 mapcount:0 mapping:c540a7d0 index:0x0
[  674.943136] flags: 0x200(slab)
[  674.943365] raw: 00000200 00000100 00000200 c540a7d0 00000000 
003e007d ffffffff 00000001
[  674.943434] page dumped because: kasan: bad access detected
[  674.943475]
[  674.944775] Memory state around the buggy address:
[  674.949581]  c5527f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  674.956036]  c5527f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  674.962491] >c5528000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  674.968876]            ^
[  674.971438]  c5528080: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[  674.977895]  c5528100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  674.984285] 
==================================================================
[  675.126818] kasan test: kasan_memchr out-of-bounds in memchr
[  675.126994] kasan test: kasan_memcmp out-of-bounds in memcmp
[  675.127158] kasan test: kasan_strings use-after-free in strchr
[  675.127309] 
==================================================================
[  675.134382] BUG: KASAN: use-after-free in strchr+0x1c/0x80
[  675.139762] Read of size 1 at addr c53e8e20 by task exe/340
[  675.145200]
[  675.146784] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  675.146836] Call Trace:
[  675.147010] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  675.147215] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  675.147385] [c5649cc0] [c072ec4c] strchr+0x1c/0x80
[  675.147684] [c5649ce0] [c95d5440] kasan_strings+0x60/0x118 [test_kasan]
[  675.147966] [c5649d00] [c95d558c] kmalloc_tests_init+0x94/0x2d0 
[test_kasan]
[  675.148157] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  675.148372] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  675.148577] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  675.148781] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  675.148976] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  675.149143] --- interrupt: c01 at 0xfd6b914
[  675.149143]     LR = 0x1001364c
[  675.149189]
[  675.150483] Allocated by task 340:
[  675.153915]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  675.154163]  kasan_strings+0x44/0x118 [test_kasan]
[  675.154400]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
[  675.154545]  do_one_initcall+0x40/0x278
[  675.154714]  do_init_module+0xcc/0x59c
[  675.154872]  load_module+0x2bc4/0x320c
[  675.155033]  sys_init_module+0x114/0x138
[  675.155179]  ret_from_syscall+0x0/0x38
[  675.155225]
[  675.156501] Freed by task 340:
[  675.159587]  __kasan_slab_free+0x120/0x22c
[  675.159709]  kfree+0x74/0x270
[  675.159954]  kasan_strings+0x54/0x118 [test_kasan]
[  675.160191]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
[  675.160337]  do_one_initcall+0x40/0x278
[  675.160508]  do_init_module+0xcc/0x59c
[  675.160667]  load_module+0x2bc4/0x320c
[  675.160828]  sys_init_module+0x114/0x138
[  675.160973]  ret_from_syscall+0x0/0x38
[  675.161019]
[  675.162306] The buggy address belongs to the object at c53e8e10
[  675.162306]  which belongs to the cache kmalloc-32 of size 32
[  675.173853] The buggy address is located 16 bytes inside of
[  675.173853]  32-byte region [c53e8e10, c53e8e30)
[  675.183856] The buggy address belongs to the page:
[  675.188642] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
[  675.188753] flags: 0x200(slab)
[  675.188982] raw: 00000200 00000100 00000200 c5007cf0 00000000 
015502ab ffffffff 00000001
[  675.189051] page dumped because: kasan: bad access detected
[  675.189091]
[  675.190392] Memory state around the buggy address:
[  675.195199]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
[  675.201653]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
[  675.208108] >c53e8e00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fb fb
[  675.214497]                        ^
[  675.218089]  c53e8e80: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
[  675.224544]  c53e8f00: 00 00 00 04 fc fc fb fb fb fb fc fc fb fb fb fb
[  675.230935] 
==================================================================
[  675.383353] kasan test: kasan_strings use-after-free in strrchr
[  675.383430] 
==================================================================
[  675.390498] BUG: KASAN: use-after-free in strrchr+0x30/0x64
[  675.395964] Read of size 1 at addr c53e8e20 by task exe/340
[  675.401403]
[  675.402986] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  675.403038] Call Trace:
[  675.403212] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  675.403415] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  675.403587] [c5649cc0] [c072ed48] strrchr+0x30/0x64
[  675.403888] [c5649ce0] [c95d545c] kasan_strings+0x7c/0x118 [test_kasan]
[  675.404170] [c5649d00] [c95d558c] kmalloc_tests_init+0x94/0x2d0 
[test_kasan]
[  675.404362] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  675.404576] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  675.404779] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  675.404983] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  675.405177] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  675.405344] --- interrupt: c01 at 0xfd6b914
[  675.405344]     LR = 0x1001364c
[  675.405390]
[  675.406684] Allocated by task 340:
[  675.410118]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  675.410366]  kasan_strings+0x44/0x118 [test_kasan]
[  675.410603]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
[  675.410750]  do_one_initcall+0x40/0x278
[  675.410919]  do_init_module+0xcc/0x59c
[  675.411078]  load_module+0x2bc4/0x320c
[  675.411238]  sys_init_module+0x114/0x138
[  675.411384]  ret_from_syscall+0x0/0x38
[  675.411430]
[  675.412704] Freed by task 340:
[  675.415789]  __kasan_slab_free+0x120/0x22c
[  675.415910]  kfree+0x74/0x270
[  675.416155]  kasan_strings+0x54/0x118 [test_kasan]
[  675.416391]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
[  675.416537]  do_one_initcall+0x40/0x278
[  675.416706]  do_init_module+0xcc/0x59c
[  675.416865]  load_module+0x2bc4/0x320c
[  675.417024]  sys_init_module+0x114/0x138
[  675.417169]  ret_from_syscall+0x0/0x38
[  675.417215]
[  675.418509] The buggy address belongs to the object at c53e8e10
[  675.418509]  which belongs to the cache kmalloc-32 of size 32
[  675.430055] The buggy address is located 16 bytes inside of
[  675.430055]  32-byte region [c53e8e10, c53e8e30)
[  675.440057] The buggy address belongs to the page:
[  675.444844] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
[  675.444955] flags: 0x200(slab)
[  675.445184] raw: 00000200 00000100 00000200 c5007cf0 00000000 
015502ab ffffffff 00000001
[  675.445253] page dumped because: kasan: bad access detected
[  675.445293]
[  675.446595] Memory state around the buggy address:
[  675.451401]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
[  675.457856]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
[  675.464310] >c53e8e00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fb fb
[  675.470698]                        ^
[  675.474291]  c53e8e80: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
[  675.480747]  c53e8f00: 00 00 00 04 fc fc fb fb fb fb fc fc fb fb fb fb
[  675.487138] 
==================================================================
[  675.500419] kasan test: kasan_strings use-after-free in strcmp
[  675.500491] 
==================================================================
[  675.507536] BUG: KASAN: use-after-free in strcmp+0x30/0x90
[  675.512918] Read of size 1 at addr c53e8e20 by task exe/340
[  675.518358]
[  675.519942] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  675.519994] Call Trace:
[  675.520167] [c5649c50] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  675.520369] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
[  675.520536] [c5649cc0] [c072ebd0] strcmp+0x30/0x90
[  675.520833] [c5649ce0] [c95d5480] kasan_strings+0xa0/0x118 [test_kasan]
[  675.521113] [c5649d00] [c95d558c] kmalloc_tests_init+0x94/0x2d0 
[test_kasan]
[  675.521303] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  675.521514] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  675.521716] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  675.521919] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  675.522111] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  675.522275] --- interrupt: c01 at 0xfd6b914
[  675.522275]     LR = 0x1001364c
[  675.522320]
[  675.523640] Allocated by task 340:
[  675.527073]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  675.527321]  kasan_strings+0x44/0x118 [test_kasan]
[  675.527556]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
[  675.527699]  do_one_initcall+0x40/0x278
[  675.527867]  do_init_module+0xcc/0x59c
[  675.528024]  load_module+0x2bc4/0x320c
[  675.528182]  sys_init_module+0x114/0x138
[  675.528327]  ret_from_syscall+0x0/0x38
[  675.528373]
[  675.529658] Freed by task 340:
[  675.532745]  __kasan_slab_free+0x120/0x22c
[  675.532865]  kfree+0x74/0x270
[  675.533109]  kasan_strings+0x54/0x118 [test_kasan]
[  675.533343]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
[  675.533486]  do_one_initcall+0x40/0x278
[  675.533654]  do_init_module+0xcc/0x59c
[  675.533810]  load_module+0x2bc4/0x320c
[  675.533967]  sys_init_module+0x114/0x138
[  675.534112]  ret_from_syscall+0x0/0x38
[  675.534157]
[  675.535463] The buggy address belongs to the object at c53e8e10
[  675.535463]  which belongs to the cache kmalloc-32 of size 32
[  675.547010] The buggy address is located 16 bytes inside of
[  675.547010]  32-byte region [c53e8e10, c53e8e30)
[  675.557012] The buggy address belongs to the page:
[  675.561799] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
[  675.561909] flags: 0x200(slab)
[  675.562137] raw: 00000200 00000100 00000200 c5007cf0 00000000 
015502ab ffffffff 00000001
[  675.562204] page dumped because: kasan: bad access detected
[  675.562243]
[  675.563549] Memory state around the buggy address:
[  675.568356]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
[  675.574809]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
[  675.581265] >c53e8e00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fb fb
[  675.587653]                        ^
[  675.591247]  c53e8e80: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
[  675.597702]  c53e8f00: 00 00 00 04 fc fc fb fb fb fb fc fc fb fb fb fb
[  675.604091] 
==================================================================
[  675.894391] kasan test: kasan_strings use-after-free in strncmp
[  675.894468] kasan test: kasan_strings use-after-free in strlen
[  675.894536] kasan test: kasan_strings use-after-free in strnlen
[  675.894600] 
==================================================================
[  675.901698] BUG: KASAN: use-after-free in strnlen+0x24/0x88
[  675.907165] Read of size 1 at addr c53e8e20 by task exe/340
[  675.912603]
[  675.914186] CPU: 0 PID: 340 Comm: exe Tainted: G    B 
5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
[  675.914237] Call Trace:
[  675.914412] [c5649c70] [c0176998] 
print_address_description+0x6c/0x2b0 (unreliable)
[  675.914617] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
[  675.914788] [c5649ce0] [c072eeb4] strnlen+0x24/0x88
[  675.915091] [c5649d00] [c95d558c] kmalloc_tests_init+0x94/0x2d0 
[test_kasan]
[  675.915283] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
[  675.915497] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
[  675.915700] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
[  675.915904] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
[  675.916099] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
[  675.916267] --- interrupt: c01 at 0xfd6b914
[  675.916267]     LR = 0x1001364c
[  675.916312]
[  675.917626] Allocated by task 340:
[  675.921059]  __kasan_kmalloc.isra.0+0xc8/0x1b0
[  675.921309]  kasan_strings+0x44/0x118 [test_kasan]
[  675.921546]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
[  675.921690]  do_one_initcall+0x40/0x278
[  675.921858]  do_init_module+0xcc/0x59c
[  675.922016]  load_module+0x2bc4/0x320c
[  675.922174]  sys_init_module+0x114/0x138
[  675.922318]  ret_from_syscall+0x0/0x38
[  675.922365]
[  675.923645] Freed by task 340:
[  675.926731]  __kasan_slab_free+0x120/0x22c
[  675.926851]  kfree+0x74/0x270
[  675.927097]  kasan_strings+0x54/0x118 [test_kasan]
[  675.927334]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
[  675.927479]  do_one_initcall+0x40/0x278
[  675.927647]  do_init_module+0xcc/0x59c
[  675.927804]  load_module+0x2bc4/0x320c
[  675.927962]  sys_init_module+0x114/0x138
[  675.928107]  ret_from_syscall+0x0/0x38
[  675.928154]
[  675.929450] The buggy address belongs to the object at c53e8e10
[  675.929450]  which belongs to the cache kmalloc-32 of size 32
[  675.940997] The buggy address is located 16 bytes inside of
[  675.940997]  32-byte region [c53e8e10, c53e8e30)
[  675.950999] The buggy address belongs to the page:
[  675.955786] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
[  675.955897] flags: 0x200(slab)
[  675.956127] raw: 00000200 00000100 00000200 c5007cf0 00000000 
015502ab ffffffff 00000001
[  675.956196] page dumped because: kasan: bad access detected
[  675.956236]
[  675.957536] Memory state around the buggy address:
[  675.962343]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
[  675.968796]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
[  675.975251] >c53e8e00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fb fb
[  675.981640]                        ^
[  675.985233]  c53e8e80: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
[  675.991688]  c53e8f00: 00 00 00 04 fc fc fb fb fb fb fc fc fb fb fb fb
[  675.998080] 
==================================================================
[  721.624809] random: crng init done

^ permalink raw reply	[flat|nested] 19+ messages in thread

* Re: [PATCH v3 3/3] powerpc/32: Add KASAN support
  2019-01-21 10:36     ` Christophe Leroy
@ 2019-01-21 12:33       ` Dmitry Vyukov
  0 siblings, 0 replies; 19+ messages in thread
From: Dmitry Vyukov @ 2019-01-21 12:33 UTC (permalink / raw)
  To: Christophe Leroy
  Cc: Aneesh Kumar K.V, LKML, Nicholas Piggin, Linux-MM,
	Paul Mackerras, kasan-dev, Andrey Ryabinin, Alexander Potapenko,
	linuxppc-dev

On Mon, Jan 21, 2019 at 11:36 AM Christophe Leroy
<christophe.leroy@c-s.fr> wrote:
>
>
>
> Le 15/01/2019 à 18:23, Andrey Ryabinin a écrit :
> >
> >
> > On 1/12/19 2:16 PM, Christophe Leroy wrote:
> >
> >> +KASAN_SANITIZE_early_32.o := n
> >> +KASAN_SANITIZE_cputable.o := n
> >> +KASAN_SANITIZE_prom_init.o := n
> >> +
> >
> > Usually it's also good idea to disable branch profiling - define DISABLE_BRANCH_PROFILING
> > either in top of these files or via Makefile. Branch profiling redefines if() statement and calls
> > instrumented ftrace_likely_update in every if().
> >
> >
> >
> >> diff --git a/arch/powerpc/mm/kasan_init.c b/arch/powerpc/mm/kasan_init.c
> >> new file mode 100644
> >> index 000000000000..3edc9c2d2f3e
> >
> >> +void __init kasan_init(void)
> >> +{
> >> +    struct memblock_region *reg;
> >> +
> >> +    for_each_memblock(memory, reg)
> >> +            kasan_init_region(reg);
> >> +
> >> +    pr_info("KASAN init done\n");
> >
> > Without "init_task.kasan_depth = 0;" kasan will not repot bugs.
> >
> > There is test_kasan module. Make sure that it produce reports.
> >
>
> I get the following report with test_kasan module.
>
> Could you have a look at it and tell if everything is as expected ?

Unfortunately kernel does not support tests that could check this.
This is called a test, but it does not actually test anything. There
is bug open for this:
https://bugzilla.kernel.org/show_bug.cgi?id=198441

You need to look at each test and understand if it is supposed to
produce a report or not, and then check if it actually produced the
report or not. In most cases this can be understood from the test name
(hopefully).


> [  667.298897] kasan test: kmalloc_oob_right out-of-bounds to right
> [  667.299036]
> ==================================================================
> [  667.306263] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_right+0x74/0x94 [test_kasan]
> [  667.313929] Write of size 1 at addr c53996fb by task exe/340
> [  667.319451]
> [  667.321021] CPU: 0 PID: 340 Comm: exe Not tainted
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  667.321072] Call Trace:
> [  667.321248] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  667.321452] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  667.321741] [c5649ce0] [c95d41d4] kmalloc_oob_right+0x74/0x94
> [test_kasan]
> [  667.322022] [c5649d00] [c95d5510] kmalloc_tests_init+0x18/0x2d0
> [test_kasan]
> [  667.322214] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  667.322428] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  667.322630] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  667.322834] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  667.323027] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  667.323193] --- interrupt: c01 at 0xfd6b914
> [  667.323193]     LR = 0x1001364c
> [  667.323239]
> [  667.324561] Allocated by task 340:
> [  667.327993]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  667.328241]  kmalloc_oob_right+0x44/0x94 [test_kasan]
> [  667.328477]  kmalloc_tests_init+0x18/0x2d0 [test_kasan]
> [  667.328622]  do_one_initcall+0x40/0x278
> [  667.328792]  do_init_module+0xcc/0x59c
> [  667.328948]  load_module+0x2bc4/0x320c
> [  667.329107]  sys_init_module+0x114/0x138
> [  667.329250]  ret_from_syscall+0x0/0x38
> [  667.329298]
> [  667.330580] Freed by task 335:
> [  667.333667]  __kasan_slab_free+0x120/0x22c
> [  667.333788]  kfree+0x74/0x270
> [  667.333950]  load_elf_binary+0xb0/0x162c
> [  667.334129]  search_binary_handler+0x120/0x374
> [  667.334297]  __do_execve_file+0x834/0xb20
> [  667.334460]  sys_execve+0x40/0x54
> [  667.334605]  ret_from_syscall+0x0/0x38
> [  667.334652]
> [  667.335954] The buggy address belongs to the object at c5399680
> [  667.335954]  which belongs to the cache kmalloc-128 of size 128
> [  667.347675] The buggy address is located 123 bytes inside of
> [  667.347675]  128-byte region [c5399680, c5399700)
> [  667.357847] The buggy address belongs to the page:
> [  667.362634] page:c7fd9cc0 count:1 mapcount:0 mapping:c5007a80 index:0x0
> [  667.362745] flags: 0x200(slab)
> [  667.362973] raw: 00000200 00000100 00000200 c5007a80 00000000
> 005500ab ffffffff 00000001
> [  667.363043] page dumped because: kasan: bad access detected
> [  667.363083]
> [  667.364384] Memory state around the buggy address:
> [  667.369190]  c5399580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> [  667.375645]  c5399600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> [  667.382099] >c5399680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03
> [  667.388496]                                                         ^
> [  667.394921]  c5399700: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> [  667.401377]  c5399780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> [  667.407767]
> ==================================================================
> [  667.414904] Disabling lock debugging due to kernel taint
> [  667.421182] kasan test: kmalloc_oob_left out-of-bounds to left
> [  667.421314]
> ==================================================================
> [  667.428466] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_left+0x74/0x9c [test_kasan]
> [  667.436045] Read of size 1 at addr c58e9ddf by task exe/340
> [  667.441483]
> [  667.443064] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  667.443115] Call Trace:
> [  667.443290] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  667.443492] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  667.443779] [c5649ce0] [c95d4268] kmalloc_oob_left+0x74/0x9c [test_kasan]
> [  667.444057] [c5649d00] [c95d5514] kmalloc_tests_init+0x1c/0x2d0
> [test_kasan]
> [  667.444246] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  667.444458] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  667.444658] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  667.444859] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  667.445051] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  667.445215] --- interrupt: c01 at 0xfd6b914
> [  667.445215]     LR = 0x1001364c
> [  667.445260]
> [  667.446593] Allocated by task 340:
> [  667.450025]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  667.450191]  do_init_module+0x2c/0x59c
> [  667.450346]  load_module+0x2bc4/0x320c
> [  667.450503]  sys_init_module+0x114/0x138
> [  667.450645]  ret_from_syscall+0x0/0x38
> [  667.450691]
> [  667.452009] Freed by task 276:
> [  667.455096]  __kasan_slab_free+0x120/0x22c
> [  667.455214]  kfree+0x74/0x270
> [  667.455344]  single_release+0x54/0x6c
> [  667.455516]  close_pdeo+0x128/0x224
> [  667.455680]  proc_reg_release+0x110/0x128
> [  667.455811]  __fput+0xec/0x2d4
> [  667.455934]  task_work_run+0x13c/0x15c
> [  667.456101]  do_notify_resume+0x3d8/0x438
> [  667.456248]  do_user_signal+0x2c/0x34
> [  667.456294]
> [  667.457641] The buggy address belongs to the object at c58e9dc0
> [  667.457641]  which belongs to the cache kmalloc-16 of size 16
> [  667.469191] The buggy address is located 15 bytes to the right of
> [  667.469191]  16-byte region [c58e9dc0, c58e9dd0)
> [  667.479708] The buggy address belongs to the page:
> [  667.484495] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  667.484606] flags: 0x200(slab)
> [  667.484833] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  667.484900] page dumped because: kasan: bad access detected
> [  667.484940]
> [  667.486244] Memory state around the buggy address:
> [  667.491051]  c58e9c80: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
> [  667.497505]  c58e9d00: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
> [  667.503959] >c58e9d80: 00 00 fc fc 00 00 fc fc 00 04 fc fc 00 07 fc fc
> [  667.510354]                                             ^
> [  667.515748]  c58e9e00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  667.522204]  c58e9e80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  667.528595]
> ==================================================================
> [  667.803662] kasan test: kmalloc_node_oob_right kmalloc_node():
> out-of-bounds to right
> [  667.803806]
> ==================================================================
> [  667.811008] BUG: KASAN: slab-out-of-bounds in
> kmalloc_node_oob_right+0x74/0x94 [test_kasan]
> [  667.819105] Write of size 1 at addr c59a4300 by task exe/340
> [  667.824627]
> [  667.826209] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  667.826260] Call Trace:
> [  667.826436] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  667.826640] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  667.826931] [c5649ce0] [c95d4304] kmalloc_node_oob_right+0x74/0x94
> [test_kasan]
> [  667.827211] [c5649d00] [c95d5518] kmalloc_tests_init+0x20/0x2d0
> [test_kasan]
> [  667.827402] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  667.827616] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  667.827818] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  667.828022] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  667.828216] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  667.828382] --- interrupt: c01 at 0xfd6b914
> [  667.828382]     LR = 0x1001364c
> [  667.828428]
> [  667.829737] Allocated by task 340:
> [  667.833169]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  667.833420]  kmalloc_node_oob_right+0x44/0x94 [test_kasan]
> [  667.833656]  kmalloc_tests_init+0x20/0x2d0 [test_kasan]
> [  667.833801]  do_one_initcall+0x40/0x278
> [  667.833970]  do_init_module+0xcc/0x59c
> [  667.834125]  load_module+0x2bc4/0x320c
> [  667.834284]  sys_init_module+0x114/0x138
> [  667.834427]  ret_from_syscall+0x0/0x38
> [  667.834475]
> [  667.835756] Freed by task 319:
> [  667.838843]  __kasan_slab_free+0x120/0x22c
> [  667.838963]  kfree+0x74/0x270
> [  667.839137]  kobject_uevent_env+0x15c/0x65c
> [  667.839299]  led_trigger_set+0x3f0/0x4fc
> [  667.839451]  led_trigger_store+0xd8/0x164
> [  667.839593]  kernfs_fop_write+0x18c/0x218
> [  667.839721]  __vfs_write+0x5c/0x258
> [  667.839843]  vfs_write+0xe4/0x248
> [  667.839966]  ksys_write+0x58/0xd8
> [  667.840111]  ret_from_syscall+0x0/0x38
> [  667.840158]
> [  667.841475] The buggy address belongs to the object at c59a3300
> [  667.841475]  which belongs to the cache kmalloc-4k of size 4096
> [  667.853196] The buggy address is located 0 bytes to the right of
> [  667.853196]  4096-byte region [c59a3300, c59a4300)
> [  667.863798] The buggy address belongs to the page:
> [  667.868586] page:c7fdcd00 count:1 mapcount:0 mapping:c50075a0
> index:0x0 compound_mapcount: 0
> [  667.868727] flags: 0x10200(slab|head)
> [  667.868956] raw: 00010200 00000100 00000200 c50075a0 00000000
> 000f001f ffffffff 00000001
> [  667.869025] page dumped because: kasan: bad access detected
> [  667.869065]
> [  667.870334] Memory state around the buggy address:
> [  667.875141]  c59a4200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  667.881595]  c59a4280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  667.888049] >c59a4300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  667.894436]            ^
> [  667.896998]  c59a4380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  667.903454]  c59a4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  667.909845]
> ==================================================================
> [  667.923434] kasan test: kmalloc_pagealloc_oob_right kmalloc pagealloc
> allocation: out-of-bounds to right
> [  667.923647]
> ==================================================================
> [  667.930896] BUG: KASAN: slab-out-of-bounds in
> kmalloc_pagealloc_oob_right+0x78/0x98 [test_kasan]
> [  667.939503] Write of size 1 at addr c5bd800a by task exe/340
> [  667.945024]
> [  667.946607] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  667.946657] Call Trace:
> [  667.946833] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  667.947035] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  667.947325] [c5649ce0] [c95d4674]
> kmalloc_pagealloc_oob_right+0x78/0x98 [test_kasan]
> [  667.947603] [c5649d00] [c95d551c] kmalloc_tests_init+0x24/0x2d0
> [test_kasan]
> [  667.947792] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  667.948004] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  667.948204] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  667.948406] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  667.948597] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  667.948760] --- interrupt: c01 at 0xfd6b914
> [  667.948760]     LR = 0x1001364c
> [  667.948806]
> [  667.950115] The buggy address belongs to the page:
> [  667.954903] page:c7fdde80 count:1 mapcount:0 mapping:00000000
> index:0x0 compound_mapcount: 0
> [  667.955038] flags: 0x10000(head)
> [  667.955260] raw: 00010000 00000100 00000200 00000000 00000000
> 00000000 ffffffff 00000001
> [  667.955327] page dumped because: kasan: bad access detected
> [  667.955367]
> [  667.956652] Memory state around the buggy address:
> [  667.961458]  c5bd7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  667.967912]  c5bd7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  667.974367] >c5bd8000: 00 02 fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> [  667.980755]               ^
> [  667.983574]  c5bd8080: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> [  667.990030]  c5bd8100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> [  667.996420]
> ==================================================================
> [  668.222064] kasan test: kmalloc_pagealloc_uaf kmalloc pagealloc
> allocation: use-after-free
> [  668.222349]
> ==================================================================
> [  668.229525] BUG: KASAN: use-after-free in
> kmalloc_pagealloc_uaf+0x78/0x94 [test_kasan]
> [  668.237274] Write of size 1 at addr c5bd0000 by task exe/340
> [  668.242796]
> [  668.244378] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  668.244429] Call Trace:
> [  668.244606] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  668.244810] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  668.245100] [c5649ce0] [c95d470c] kmalloc_pagealloc_uaf+0x78/0x94
> [test_kasan]
> [  668.245381] [c5649d00] [c95d5520] kmalloc_tests_init+0x28/0x2d0
> [test_kasan]
> [  668.245573] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  668.245787] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  668.245989] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  668.246192] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  668.246386] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  668.246552] --- interrupt: c01 at 0xfd6b914
> [  668.246552]     LR = 0x1001364c
> [  668.246598]
> [  668.247886] The buggy address belongs to the page:
> [  668.252671] page:c7fdde80 count:0 mapcount:-128 mapping:00000000
> index:0x0
> [  668.252769] flags: 0x0()
> [  668.252994] raw: 00000000 c7fdcf84 c0982ae8 00000000 00000000
> 00000002 ffffff7f 00000000
> [  668.253062] page dumped because: kasan: bad access detected
> [  668.253102]
> [  668.254337] Memory state around the buggy address:
> [  668.259143]  c5bcff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  668.265597]  c5bcff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  668.272052] >c5bd0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [  668.278439]            ^
> [  668.281001]  c5bd0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [  668.287458]  c5bd0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> [  668.293847]
> ==================================================================
> [  668.310744] kasan test: kmalloc_pagealloc_invalid_free kmalloc
> pagealloc allocation: invalid-free
> [  668.310957]
> ==================================================================
> [  668.318156] BUG: KASAN: double-free or invalid-free in
> kmalloc_tests_init+0x2c/0x2d0 [test_kasan]
> [  668.326705]
> [  668.328286] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  668.328337] Call Trace:
> [  668.328512] [c5649c80] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  668.328724] [c5649cb0] [c0176c24] kasan_report_invalid_free+0x48/0x74
> [  668.328888] [c5649ce0] [c0173c14] kfree+0x1f8/0x270
> [  668.329176] [c5649d00] [c95d5524] kmalloc_tests_init+0x2c/0x2d0
> [test_kasan]
> [  668.329365] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  668.329577] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  668.329777] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  668.329978] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  668.330170] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  668.330334] --- interrupt: c01 at 0xfd6b914
> [  668.330334]     LR = 0x1001364c
> [  668.330379]
> [  668.331622] The buggy address belongs to the page:
> [  668.336410] page:c7fdde80 count:1 mapcount:0 mapping:00000000
> index:0x0 compound_mapcount: 0
> [  668.336545] flags: 0x10000(head)
> [  668.336767] raw: 00010000 00000100 00000200 00000000 00000000
> 00000000 ffffffff 00000001
> [  668.336834] page dumped because: kasan: bad access detected
> [  668.336873]
> [  668.338158] Memory state around the buggy address:
> [  668.342965]  c5bcff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  668.349419]  c5bcff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  668.355874] >c5bd0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  668.362260]            ^
> [  668.364822]  c5bd0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  668.371279]  c5bd0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  668.377668]
> ==================================================================
> [  668.528086] kasan test: kmalloc_large_oob_right kmalloc large
> allocation: out-of-bounds to right
> [  668.528279]
> ==================================================================
> [  668.535471] BUG: KASAN: slab-out-of-bounds in
> kmalloc_large_oob_right+0x74/0x94 [test_kasan]
> [  668.543735] Write of size 1 at addr c5498700 by task exe/340
> [  668.549257]
> [  668.550840] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  668.550891] Call Trace:
> [  668.551068] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  668.551272] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  668.551561] [c5649ce0] [c95d4398] kmalloc_large_oob_right+0x74/0x94
> [test_kasan]
> [  668.551842] [c5649d00] [c95d5528] kmalloc_tests_init+0x30/0x2d0
> [test_kasan]
> [  668.552034] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  668.552248] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  668.552450] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  668.552655] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  668.552848] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  668.553013] --- interrupt: c01 at 0xfd6b914
> [  668.553013]     LR = 0x1001364c
> [  668.553059]
> [  668.554367] Allocated by task 340:
> [  668.557799]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  668.558049]  kmalloc_large_oob_right+0x44/0x94 [test_kasan]
> [  668.558285]  kmalloc_tests_init+0x30/0x2d0 [test_kasan]
> [  668.558430]  do_one_initcall+0x40/0x278
> [  668.558599]  do_init_module+0xcc/0x59c
> [  668.558756]  load_module+0x2bc4/0x320c
> [  668.558915]  sys_init_module+0x114/0x138
> [  668.559058]  ret_from_syscall+0x0/0x38
> [  668.559106]
> [  668.560386] Freed by task 173:
> [  668.563473]  __kasan_slab_free+0x120/0x22c
> [  668.563595]  kfree+0x74/0x270
> [  668.563763]  consume_skb+0x38/0x138
> [  668.563935]  skb_free_datagram+0x1c/0x80
> [  668.564104]  netlink_recvmsg+0x1d0/0x4d4
> [  668.564270]  ___sys_recvmsg+0xd8/0x194
> [  668.564436]  __sys_recvmsg+0x40/0x8c
> [  668.564563]  sys_socketcall+0xf8/0x210
> [  668.564709]  ret_from_syscall+0x0/0x38
> [  668.564756]
> [  668.566106] The buggy address belongs to the object at c5490800
> [  668.566106]  which belongs to the cache kmalloc-32k of size 32768
> [  668.578000] The buggy address is located 32512 bytes inside of
> [  668.578000]  32768-byte region [c5490800, c5498800)
> [  668.588514] The buggy address belongs to the page:
> [  668.593302] page:c7fda400 count:1 mapcount:0 mapping:c5007330
> index:0x0 compound_mapcount: 0
> [  668.593443] flags: 0x10200(slab|head)
> [  668.593672] raw: 00010200 00000100 00000200 c5007330 00000000
> 00030007 ffffffff 00000001
> [  668.593741] page dumped because: kasan: bad access detected
> [  668.593781]
> [  668.595051] Memory state around the buggy address:
> [  668.599857]  c5498600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  668.606311]  c5498680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  668.612765] >c5498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  668.619152]            ^
> [  668.621714]  c5498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  668.628171]  c5498800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  668.634561]
> ==================================================================
> [  668.645940] kasan test: kmalloc_oob_krealloc_more out-of-bounds after
> krealloc more
> [  668.646103]
> ==================================================================
> [  668.653286] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_krealloc_more+0x8c/0xac [test_kasan]
> [  668.661723] Write of size 1 at addr c53e8ca3 by task exe/340
> [  668.667245]
> [  668.668827] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  668.668877] Call Trace:
> [  668.669052] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  668.669254] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  668.669543] [c5649ce0] [c95d4838] kmalloc_oob_krealloc_more+0x8c/0xac
> [test_kasan]
> [  668.669823] [c5649d00] [c95d552c] kmalloc_tests_init+0x34/0x2d0
> [test_kasan]
> [  668.670012] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  668.670225] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  668.670426] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  668.670627] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  668.670819] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  668.670982] --- interrupt: c01 at 0xfd6b914
> [  668.670982]     LR = 0x1001364c
> [  668.671027]
> [  668.672354] Allocated by task 340:
> [  668.675786]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  668.675935]  krealloc+0xb0/0xe8
> [  668.676185]  kmalloc_oob_krealloc_more+0x58/0xac [test_kasan]
> [  668.676419]  kmalloc_tests_init+0x34/0x2d0 [test_kasan]
> [  668.676563]  do_one_initcall+0x40/0x278
> [  668.676730]  do_init_module+0xcc/0x59c
> [  668.676885]  load_module+0x2bc4/0x320c
> [  668.677042]  sys_init_module+0x114/0x138
> [  668.677185]  ret_from_syscall+0x0/0x38
> [  668.677231]
> [  668.678543] Freed by task 0:
> [  668.681460]  __kasan_slab_free+0x120/0x22c
> [  668.681579]  kfree+0x74/0x270
> [  668.681726]  rcu_process_callbacks+0x384/0x620
> [  668.681858]  __do_softirq+0x134/0x48c
> [  668.681904]
> [  668.683231] The buggy address belongs to the object at c53e8c90
> [  668.683231]  which belongs to the cache kmalloc-32 of size 32
> [  668.694778] The buggy address is located 19 bytes inside of
> [  668.694778]  32-byte region [c53e8c90, c53e8cb0)
> [  668.704780] The buggy address belongs to the page:
> [  668.709568] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
> [  668.709676] flags: 0x200(slab)
> [  668.709903] raw: 00000200 00000100 00000200 c5007cf0 00000000
> 015502ab ffffffff 00000001
> [  668.709970] page dumped because: kasan: bad access detected
> [  668.710010]
> [  668.711317] Memory state around the buggy address:
> [  668.716124]  c53e8b80: 00 fc fc fc 00 00 00 fc fc fc fb fb fb fb fc fc
> [  668.722579]  c53e8c00: 00 00 00 04 fc fc 00 00 00 04 fc fc 00 00 00 00
> [  668.729033] >c53e8c80: fc fc 00 00 03 fc fc fc 00 00 00 00 fc fc 00 00
> [  668.735421]                        ^
> [  668.739014]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
> [  668.745470]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
> [  668.751860]
> ==================================================================
> [  669.016775] kasan test: kmalloc_oob_krealloc_less out-of-bounds after
> krealloc less
> [  669.016942]
> ==================================================================
> [  669.024120] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_krealloc_less+0x8c/0xac [test_kasan]
> [  669.032474] Write of size 1 at addr c53e8bdf by task exe/340
> [  669.037995]
> [  669.039577] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  669.039628] Call Trace:
> [  669.039803] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  669.040007] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  669.040299] [c5649ce0] [c95d48e4] kmalloc_oob_krealloc_less+0x8c/0xac
> [test_kasan]
> [  669.040580] [c5649d00] [c95d5530] kmalloc_tests_init+0x38/0x2d0
> [test_kasan]
> [  669.040771] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  669.040984] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  669.041187] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  669.041390] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  669.041584] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  669.041750] --- interrupt: c01 at 0xfd6b914
> [  669.041750]     LR = 0x1001364c
> [  669.041796]
> [  669.043105] Allocated by task 340:
> [  669.046537]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  669.046687]  krealloc+0xb0/0xe8
> [  669.046940]  kmalloc_oob_krealloc_less+0x58/0xac [test_kasan]
> [  669.047176]  kmalloc_tests_init+0x38/0x2d0 [test_kasan]
> [  669.047321]  do_one_initcall+0x40/0x278
> [  669.047491]  do_init_module+0xcc/0x59c
> [  669.047648]  load_module+0x2bc4/0x320c
> [  669.047806]  sys_init_module+0x114/0x138
> [  669.047951]  ret_from_syscall+0x0/0x38
> [  669.047998]
> [  669.049294] Freed by task 0:
> [  669.052211]  __kasan_slab_free+0x120/0x22c
> [  669.052332]  kfree+0x74/0x270
> [  669.052479]  rcu_process_callbacks+0x384/0x620
> [  669.052612]  __do_softirq+0x134/0x48c
> [  669.052659]
> [  669.053981] The buggy address belongs to the object at c53e8bd0
> [  669.053981]  which belongs to the cache kmalloc-32 of size 32
> [  669.065529] The buggy address is located 15 bytes inside of
> [  669.065529]  32-byte region [c53e8bd0, c53e8bf0)
> [  669.075531] The buggy address belongs to the page:
> [  669.080318] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
> [  669.080428] flags: 0x200(slab)
> [  669.080655] raw: 00000200 00000100 00000200 c5007cf0 00000000
> 015502ab ffffffff 00000001
> [  669.080724] page dumped because: kasan: bad access detected
> [  669.080764]
> [  669.082068] Memory state around the buggy address:
> [  669.086874]  c53e8a80: 00 00 00 fc fc fc 00 00 00 fc fc fc 00 00 00 00
> [  669.093328]  c53e8b00: fc fc 00 00 00 fc fc fc 00 00 00 fc fc fc 00 00
> [  669.099783] >c53e8b80: 00 fc fc fc 00 00 00 fc fc fc 00 07 fc fc fc fc
> [  669.106177]                                             ^
> [  669.111572]  c53e8c00: 00 00 00 04 fc fc 00 00 00 04 fc fc 00 00 00 00
> [  669.118028]  c53e8c80: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc 00 00
> [  669.124418]
> ==================================================================
> [  669.137359] kasan test: kmalloc_oob_16 kmalloc out-of-bounds for
> 16-bytes access
> [  669.137538]
> ==================================================================
> [  669.144772] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_16+0x94/0xdc [test_kasan]
> [  669.152181] Write of size 16 at addr c58eada0 by task exe/340
> [  669.157790]
> [  669.159371] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  669.159421] Call Trace:
> [  669.159597] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  669.159799] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  669.160086] [c5649ce0] [c95d444c] kmalloc_oob_16+0x94/0xdc [test_kasan]
> [  669.160365] [c5649d00] [c95d5534] kmalloc_tests_init+0x3c/0x2d0
> [test_kasan]
> [  669.160554] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  669.160765] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  669.160966] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  669.161167] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  669.161360] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  669.161523] --- interrupt: c01 at 0xfd6b914
> [  669.161523]     LR = 0x1001364c
> [  669.161569]
> [  669.162900] Allocated by task 340:
> [  669.166332]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  669.166578]  kmalloc_oob_16+0x48/0xdc [test_kasan]
> [  669.166812]  kmalloc_tests_init+0x3c/0x2d0 [test_kasan]
> [  669.166955]  do_one_initcall+0x40/0x278
> [  669.167121]  do_init_module+0xcc/0x59c
> [  669.167275]  load_module+0x2bc4/0x320c
> [  669.167432]  sys_init_module+0x114/0x138
> [  669.167575]  ret_from_syscall+0x0/0x38
> [  669.167620]
> [  669.168919] Freed by task 338:
> [  669.172004]  __kasan_slab_free+0x120/0x22c
> [  669.172122]  kfree+0x74/0x270
> [  669.172264]  walk_component+0x150/0x478
> [  669.172399]  link_path_walk+0x374/0x63c
> [  669.172535]  path_openat+0xe4/0x15f8
> [  669.172674]  do_filp_open+0xd0/0x120
> [  669.172843]  do_open_execat+0x64/0x264
> [  669.173010]  __do_execve_file+0xa0c/0xb20
> [  669.173172]  sys_execve+0x40/0x54
> [  669.173318]  ret_from_syscall+0x0/0x38
> [  669.173364]
> [  669.174722] The buggy address belongs to the object at c58eada0
> [  669.174722]  which belongs to the cache kmalloc-16 of size 16
> [  669.186269] The buggy address is located 0 bytes inside of
> [  669.186269]  16-byte region [c58eada0, c58eadb0)
> [  669.196187] The buggy address belongs to the page:
> [  669.200974] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  669.201083] flags: 0x200(slab)
> [  669.201310] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  669.201378] page dumped because: kasan: bad access detected
> [  669.201417]
> [  669.202723] Memory state around the buggy address:
> [  669.207530]  c58eac80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  669.213984]  c58ead00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  669.220438] >c58ead80: fb fb fc fc 00 05 fc fc 00 00 fc fc fb fb fc fc
> [  669.226828]                           ^
> [  669.230678]  c58eae00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  669.237134]  c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
> [  669.243524]
> ==================================================================
> [  669.521937] kasan test: kmalloc_oob_in_memset out-of-bounds in memset
> [  669.522086]
> ==================================================================
> [  669.529294] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_in_memset+0x78/0x90 [test_kasan]
> [  669.537306] Write of size 671 at addr c5881b00 by task exe/340
> [  669.543000]
> [  669.544581] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  669.544632] Call Trace:
> [  669.544808] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  669.545012] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  669.545186] [c5649cc0] [c0175700] memset+0x2c/0x4c
> [  669.545477] [c5649ce0] [c95d497c] kmalloc_oob_in_memset+0x78/0x90
> [test_kasan]
> [  669.545759] [c5649d00] [c95d5538] kmalloc_tests_init+0x40/0x2d0
> [test_kasan]
> [  669.545949] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  669.546163] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  669.546366] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  669.546570] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  669.546764] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  669.546929] --- interrupt: c01 at 0xfd6b914
> [  669.546929]     LR = 0x1001364c
> [  669.546976]
> [  669.548281] Allocated by task 340:
> [  669.551713]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  669.551963]  kmalloc_oob_in_memset+0x44/0x90 [test_kasan]
> [  669.552199]  kmalloc_tests_init+0x40/0x2d0 [test_kasan]
> [  669.552346]  do_one_initcall+0x40/0x278
> [  669.552515]  do_init_module+0xcc/0x59c
> [  669.552672]  load_module+0x2bc4/0x320c
> [  669.552831]  sys_init_module+0x114/0x138
> [  669.552976]  ret_from_syscall+0x0/0x38
> [  669.553023]
> [  669.554300] Freed by task 131:
> [  669.557387]  __kasan_slab_free+0x120/0x22c
> [  669.557508]  kfree+0x74/0x270
> [  669.557682]  pskb_expand_head+0x2b0/0x434
> [  669.557843]  netlink_trim+0xfc/0x114
> [  669.558009]  netlink_broadcast_filtered+0x48/0x530
> [  669.558169]  nlmsg_notify+0x7c/0x128
> [  669.558330]  fib6_add+0xd44/0x11d4
> [  669.558461]  __ip6_ins_rt+0x5c/0x88
> [  669.558598]  ip6_ins_rt+0x34/0x44
> [  669.558777]  __ipv6_ifa_notify+0x388/0x38c
> [  669.558945]  ipv6_ifa_notify+0x68/0x88
> [  669.559076]  addrconf_dad_completed+0x54/0x49c
> [  669.559201]  addrconf_dad_work+0x558/0x84c
> [  669.559369]  process_one_work+0x408/0x78c
> [  669.559524]  worker_thread+0xb4/0x83c
> [  669.559657]  kthread+0x144/0x184
> [  669.559811]  ret_from_kernel_thread+0x14/0x1c
> [  669.559858]
> [  669.561223] The buggy address belongs to the object at c5881b00
> [  669.561223]  which belongs to the cache kmalloc-1k of size 1024
> [  669.572943] The buggy address is located 0 bytes inside of
> [  669.572943]  1024-byte region [c5881b00, c5881f00)
> [  669.583031] The buggy address belongs to the page:
> [  669.587818] page:c7fdc400 count:1 mapcount:0 mapping:c5007740 index:0x0
> [  669.587929] flags: 0x200(slab)
> [  669.588156] raw: 00000200 00000100 00000200 c5007740 00000000
> 000e001d ffffffff 00000001
> [  669.588225] page dumped because: kasan: bad access detected
> [  669.588265]
> [  669.589567] Memory state around the buggy address:
> [  669.594374]  c5881c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  669.600828]  c5881d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  669.607282] >c5881d80: 00 00 00 02 fc fc fc fc fc fc fc fc fc fc fc fc
> [  669.613671]                     ^
> [  669.617005]  c5881e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  669.623462]  c5881e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  669.629852]
> ==================================================================
> [  669.643287] kasan test: kmalloc_oob_memset_2 out-of-bounds in memset2
> [  669.643423]
> ==================================================================
> [  669.650641] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_memset_2+0x7c/0x94 [test_kasan]
> [  669.658563] Write of size 2 at addr c58eae07 by task exe/340
> [  669.664085]
> [  669.665668] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  669.665718] Call Trace:
> [  669.665891] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  669.666095] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  669.666267] [c5649cc0] [c0175700] memset+0x2c/0x4c
> [  669.666556] [c5649ce0] [c95d4a10] kmalloc_oob_memset_2+0x7c/0x94
> [test_kasan]
> [  669.666836] [c5649d00] [c95d553c] kmalloc_tests_init+0x44/0x2d0
> [test_kasan]
> [  669.667026] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  669.667239] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  669.667440] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  669.667643] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  669.667836] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  669.668002] --- interrupt: c01 at 0xfd6b914
> [  669.668002]     LR = 0x1001364c
> [  669.668046]
> [  669.669366] Allocated by task 340:
> [  669.672799]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  669.673048]  kmalloc_oob_memset_2+0x44/0x94 [test_kasan]
> [  669.673283]  kmalloc_tests_init+0x44/0x2d0 [test_kasan]
> [  669.673426]  do_one_initcall+0x40/0x278
> [  669.673594]  do_init_module+0xcc/0x59c
> [  669.673750]  load_module+0x2bc4/0x320c
> [  669.673909]  sys_init_module+0x114/0x138
> [  669.674051]  ret_from_syscall+0x0/0x38
> [  669.674098]
> [  669.675387] Freed by task 276:
> [  669.678473]  __kasan_slab_free+0x120/0x22c
> [  669.678594]  kfree+0x74/0x270
> [  669.678724]  single_release+0x54/0x6c
> [  669.678897]  close_pdeo+0x128/0x224
> [  669.679064]  proc_reg_release+0x110/0x128
> [  669.679197]  __fput+0xec/0x2d4
> [  669.679320]  task_work_run+0x13c/0x15c
> [  669.679487]  do_notify_resume+0x3d8/0x438
> [  669.679636]  do_user_signal+0x2c/0x34
> [  669.679682]
> [  669.681018] The buggy address belongs to the object at c58eae00
> [  669.681018]  which belongs to the cache kmalloc-16 of size 16
> [  669.692565] The buggy address is located 7 bytes inside of
> [  669.692565]  16-byte region [c58eae00, c58eae10)
> [  669.702482] The buggy address belongs to the page:
> [  669.707268] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  669.707380] flags: 0x200(slab)
> [  669.707607] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  669.707674] page dumped because: kasan: bad access detected
> [  669.707713]
> [  669.709018] Memory state around the buggy address:
> [  669.713825]  c58ead00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  669.720279]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  669.726734] >c58eae00: 00 fc fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  669.733120]               ^
> [  669.735941]  c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
> [  669.742397]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  669.748787]
> ==================================================================
> [  670.056503] kasan test: kmalloc_oob_memset_4 out-of-bounds in memset4
> [  670.056640]
> ==================================================================
> [  670.063818] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_memset_4+0x7c/0x94 [test_kasan]
> [  670.071743] Write of size 4 at addr c58eae25 by task exe/340
> [  670.077263]
> [  670.078847] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  670.078898] Call Trace:
> [  670.079074] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  670.079279] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  670.079452] [c5649cc0] [c0175700] memset+0x2c/0x4c
> [  670.079743] [c5649ce0] [c95d4aa4] kmalloc_oob_memset_4+0x7c/0x94
> [test_kasan]
> [  670.080025] [c5649d00] [c95d5540] kmalloc_tests_init+0x48/0x2d0
> [test_kasan]
> [  670.080216] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  670.080431] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  670.080635] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  670.080839] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  670.081034] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  670.081201] --- interrupt: c01 at 0xfd6b914
> [  670.081201]     LR = 0x1001364c
> [  670.081247]
> [  670.082546] Allocated by task 340:
> [  670.085978]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  670.086229]  kmalloc_oob_memset_4+0x44/0x94 [test_kasan]
> [  670.086465]  kmalloc_tests_init+0x48/0x2d0 [test_kasan]
> [  670.086611]  do_one_initcall+0x40/0x278
> [  670.086782]  do_init_module+0xcc/0x59c
> [  670.086941]  load_module+0x2bc4/0x320c
> [  670.087101]  sys_init_module+0x114/0x138
> [  670.087246]  ret_from_syscall+0x0/0x38
> [  670.087293]
> [  670.088563] Freed by task 276:
> [  670.091652]  __kasan_slab_free+0x120/0x22c
> [  670.091774]  kfree+0x74/0x270
> [  670.091906]  single_release+0x54/0x6c
> [  670.092080]  close_pdeo+0x128/0x224
> [  670.092249]  proc_reg_release+0x110/0x128
> [  670.092383]  __fput+0xec/0x2d4
> [  670.092509]  task_work_run+0x13c/0x15c
> [  670.092678]  do_notify_resume+0x3d8/0x438
> [  670.092828]  do_user_signal+0x2c/0x34
> [  670.092874]
> [  670.094198] The buggy address belongs to the object at c58eae20
> [  670.094198]  which belongs to the cache kmalloc-16 of size 16
> [  670.105743] The buggy address is located 5 bytes inside of
> [  670.105743]  16-byte region [c58eae20, c58eae30)
> [  670.115660] The buggy address belongs to the page:
> [  670.120447] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  670.120560] flags: 0x200(slab)
> [  670.120789] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  670.120858] page dumped because: kasan: bad access detected
> [  670.120899]
> [  670.122198] Memory state around the buggy address:
> [  670.127004]  c58ead00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.133458]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.139912] >c58eae00: fb fb fc fc 00 fc fc fc fb fb fc fc fb fb fc fc
> [  670.146302]                           ^
> [  670.150152]  c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
> [  670.156608]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.162998]
> ==================================================================
> [  670.176210] kasan test: kmalloc_oob_memset_8 out-of-bounds in memset8
> [  670.176342]
> ==================================================================
> [  670.183528] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_memset_8+0x7c/0x94 [test_kasan]
> [  670.191450] Write of size 8 at addr c58eae41 by task exe/340
> [  670.196972]
> [  670.198555] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  670.198605] Call Trace:
> [  670.198779] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  670.198982] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  670.199153] [c5649cc0] [c0175700] memset+0x2c/0x4c
> [  670.199443] [c5649ce0] [c95d4b38] kmalloc_oob_memset_8+0x7c/0x94
> [test_kasan]
> [  670.199722] [c5649d00] [c95d5544] kmalloc_tests_init+0x4c/0x2d0
> [test_kasan]
> [  670.199912] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  670.200125] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  670.200327] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  670.200530] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  670.200723] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  670.200887] --- interrupt: c01 at 0xfd6b914
> [  670.200887]     LR = 0x1001364c
> [  670.200931]
> [  670.202255] Allocated by task 340:
> [  670.205686]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  670.205934]  kmalloc_oob_memset_8+0x44/0x94 [test_kasan]
> [  670.206168]  kmalloc_tests_init+0x4c/0x2d0 [test_kasan]
> [  670.206312]  do_one_initcall+0x40/0x278
> [  670.206480]  do_init_module+0xcc/0x59c
> [  670.206637]  load_module+0x2bc4/0x320c
> [  670.206794]  sys_init_module+0x114/0x138
> [  670.206937]  ret_from_syscall+0x0/0x38
> [  670.206983]
> [  670.208274] Freed by task 276:
> [  670.211360]  __kasan_slab_free+0x120/0x22c
> [  670.211479]  kfree+0x74/0x270
> [  670.211611]  single_release+0x54/0x6c
> [  670.211782]  close_pdeo+0x128/0x224
> [  670.211947]  proc_reg_release+0x110/0x128
> [  670.212079]  __fput+0xec/0x2d4
> [  670.212202]  task_work_run+0x13c/0x15c
> [  670.212368]  do_notify_resume+0x3d8/0x438
> [  670.212515]  do_user_signal+0x2c/0x34
> [  670.212561]
> [  670.213904] The buggy address belongs to the object at c58eae40
> [  670.213904]  which belongs to the cache kmalloc-16 of size 16
> [  670.225452] The buggy address is located 1 bytes inside of
> [  670.225452]  16-byte region [c58eae40, c58eae50)
> [  670.235368] The buggy address belongs to the page:
> [  670.240155] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  670.240265] flags: 0x200(slab)
> [  670.240493] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  670.240560] page dumped because: kasan: bad access detected
> [  670.240599]
> [  670.241906] Memory state around the buggy address:
> [  670.246712]  c58ead00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.253167]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.259621] >c58eae00: fb fb fc fc fb fb fc fc 00 fc fc fc fb fb fc fc
> [  670.266014]                                       ^
> [  670.270894]  c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
> [  670.277349]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.283740]
> ==================================================================
> [  670.574861] kasan test: kmalloc_oob_memset_16 out-of-bounds in memset16
> [  670.574999]
> ==================================================================
> [  670.582162] BUG: KASAN: slab-out-of-bounds in
> kmalloc_oob_memset_16+0x7c/0x94 [test_kasan]
> [  670.590260] Write of size 16 at addr c58eae81 by task exe/340
> [  670.595865]
> [  670.597448] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  670.597499] Call Trace:
> [  670.597674] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  670.597880] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  670.598053] [c5649cc0] [c0175700] memset+0x2c/0x4c
> [  670.598344] [c5649ce0] [c95d4bcc] kmalloc_oob_memset_16+0x7c/0x94
> [test_kasan]
> [  670.598626] [c5649d00] [c95d5548] kmalloc_tests_init+0x50/0x2d0
> [test_kasan]
> [  670.598816] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  670.599031] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  670.599234] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  670.599439] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  670.599634] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  670.599801] --- interrupt: c01 at 0xfd6b914
> [  670.599801]     LR = 0x1001364c
> [  670.599847]
> [  670.601148] Allocated by task 340:
> [  670.604580]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  670.604834]  kmalloc_oob_memset_16+0x44/0x94 [test_kasan]
> [  670.605070]  kmalloc_tests_init+0x50/0x2d0 [test_kasan]
> [  670.605215]  do_one_initcall+0x40/0x278
> [  670.605385]  do_init_module+0xcc/0x59c
> [  670.605543]  load_module+0x2bc4/0x320c
> [  670.605704]  sys_init_module+0x114/0x138
> [  670.605851]  ret_from_syscall+0x0/0x38
> [  670.605897]
> [  670.607166] Freed by task 276:
> [  670.610253]  __kasan_slab_free+0x120/0x22c
> [  670.610374]  kfree+0x74/0x270
> [  670.610506]  single_release+0x54/0x6c
> [  670.610681]  close_pdeo+0x128/0x224
> [  670.610849]  proc_reg_release+0x110/0x128
> [  670.610983]  __fput+0xec/0x2d4
> [  670.611107]  task_work_run+0x13c/0x15c
> [  670.611275]  do_notify_resume+0x3d8/0x438
> [  670.611424]  do_user_signal+0x2c/0x34
> [  670.611471]
> [  670.612798] The buggy address belongs to the object at c58eae80
> [  670.612798]  which belongs to the cache kmalloc-16 of size 16
> [  670.624345] The buggy address is located 1 bytes inside of
> [  670.624345]  16-byte region [c58eae80, c58eae90)
> [  670.634260] The buggy address belongs to the page:
> [  670.639048] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  670.639158] flags: 0x200(slab)
> [  670.639387] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  670.639457] page dumped because: kasan: bad access detected
> [  670.639497]
> [  670.640799] Memory state around the buggy address:
> [  670.645604]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.652058]  c58eae00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.658513] >c58eae80: 00 00 fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
> [  670.664901]                  ^
> [  670.667978]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.674434]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.680825]
> ==================================================================
> [  670.693766] kasan test: kmalloc_uaf use-after-free
> [  670.693923]
> ==================================================================
> [  670.701091] BUG: KASAN: use-after-free in kmalloc_uaf+0x78/0x94
> [test_kasan]
> [  670.707899] Write of size 1 at addr c58eaea8 by task exe/340
> [  670.713422]
> [  670.715004] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  670.715055] Call Trace:
> [  670.715229] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  670.715433] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  670.715719] [c5649ce0] [c95d450c] kmalloc_uaf+0x78/0x94 [test_kasan]
> [  670.715997] [c5649d00] [c95d554c] kmalloc_tests_init+0x54/0x2d0
> [test_kasan]
> [  670.716187] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  670.716400] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  670.716601] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  670.716804] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  670.716998] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  670.717164] --- interrupt: c01 at 0xfd6b914
> [  670.717164]     LR = 0x1001364c
> [  670.717209]
> [  670.718531] Allocated by task 340:
> [  670.721965]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  670.722210]  kmalloc_uaf+0x44/0x94 [test_kasan]
> [  670.722446]  kmalloc_tests_init+0x54/0x2d0 [test_kasan]
> [  670.722588]  do_one_initcall+0x40/0x278
> [  670.722756]  do_init_module+0xcc/0x59c
> [  670.722912]  load_module+0x2bc4/0x320c
> [  670.723069]  sys_init_module+0x114/0x138
> [  670.723213]  ret_from_syscall+0x0/0x38
> [  670.723260]
> [  670.724550] Freed by task 340:
> [  670.727635]  __kasan_slab_free+0x120/0x22c
> [  670.727754]  kfree+0x74/0x270
> [  670.727998]  kmalloc_uaf+0x70/0x94 [test_kasan]
> [  670.728233]  kmalloc_tests_init+0x54/0x2d0 [test_kasan]
> [  670.728375]  do_one_initcall+0x40/0x278
> [  670.728543]  do_init_module+0xcc/0x59c
> [  670.728698]  load_module+0x2bc4/0x320c
> [  670.728855]  sys_init_module+0x114/0x138
> [  670.728998]  ret_from_syscall+0x0/0x38
> [  670.729044]
> [  670.730356] The buggy address belongs to the object at c58eaea0
> [  670.730356]  which belongs to the cache kmalloc-16 of size 16
> [  670.741901] The buggy address is located 8 bytes inside of
> [  670.741901]  16-byte region [c58eaea0, c58eaeb0)
> [  670.751818] The buggy address belongs to the page:
> [  670.756605] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  670.756716] flags: 0x200(slab)
> [  670.756944] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  670.757012] page dumped because: kasan: bad access detected
> [  670.757052]
> [  670.758354] Memory state around the buggy address:
> [  670.763163]  c58ead80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.769616]  c58eae00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.776070] >c58eae80: fb fb fc fc fb fb fc fc fb fb fc fc 00 04 fc fc
> [  670.782461]                           ^
> [  670.786311]  c58eaf00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.792765]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  670.799157]
> ==================================================================
> [  671.084949] kasan test: kmalloc_uaf_memset use-after-free in memset
> [  671.085122]
> ==================================================================
> [  671.092328] BUG: KASAN: use-after-free in
> kmalloc_tests_init+0x58/0x2d0 [test_kasan]
> [  671.099824] Write of size 33 at addr c534b0c0 by task exe/340
> [  671.105430]
> [  671.107012] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  671.107063] Call Trace:
> [  671.107238] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  671.107443] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  671.107616] [c5649ce0] [c0175700] memset+0x2c/0x4c
> [  671.107907] [c5649d00] [c95d5550] kmalloc_tests_init+0x58/0x2d0
> [test_kasan]
> [  671.108098] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  671.108314] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  671.108518] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  671.108724] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  671.108918] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  671.109085] --- interrupt: c01 at 0xfd6b914
> [  671.109085]     LR = 0x1001364c
> [  671.109132]
> [  671.110452] Allocated by task 340:
> [  671.113886]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  671.114137]  kmalloc_uaf_memset+0x44/0x90 [test_kasan]
> [  671.114374]  kmalloc_tests_init+0x58/0x2d0 [test_kasan]
> [  671.114520]  do_one_initcall+0x40/0x278
> [  671.114689]  do_init_module+0xcc/0x59c
> [  671.114846]  load_module+0x2bc4/0x320c
> [  671.115005]  sys_init_module+0x114/0x138
> [  671.115151]  ret_from_syscall+0x0/0x38
> [  671.115198]
> [  671.116472] Freed by task 340:
> [  671.119559]  __kasan_slab_free+0x120/0x22c
> [  671.119681]  kfree+0x74/0x270
> [  671.119927]  kmalloc_uaf_memset+0x70/0x90 [test_kasan]
> [  671.120167]  kmalloc_tests_init+0x58/0x2d0 [test_kasan]
> [  671.120312]  do_one_initcall+0x40/0x278
> [  671.120481]  do_init_module+0xcc/0x59c
> [  671.120640]  load_module+0x2bc4/0x320c
> [  671.120801]  sys_init_module+0x114/0x138
> [  671.120945]  ret_from_syscall+0x0/0x38
> [  671.120992]
> [  671.122276] The buggy address belongs to the object at c534b0c0
> [  671.122276]  which belongs to the cache kmalloc-64 of size 64
> [  671.133824] The buggy address is located 0 bytes inside of
> [  671.133824]  64-byte region [c534b0c0, c534b100)
> [  671.143741] The buggy address belongs to the page:
> [  671.148527] page:c7fd9a40 count:1 mapcount:0 mapping:c5007c20 index:0x0
> [  671.148637] flags: 0x200(slab)
> [  671.148866] raw: 00000200 00000100 00000200 c5007c20 00000000
> 00aa0155 ffffffff 00000001
> [  671.148935] page dumped because: kasan: bad access detected
> [  671.148975]
> [  671.150277] Memory state around the buggy address:
> [  671.155084]  c534af80: fc fc fc fc 00 00 00 00 04 fc fc fc fc fc fc fc
> [  671.161538]  c534b000: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb
> [  671.167993] >c534b080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
> [  671.174383]                                    ^
> [  671.179007]  c534b100: fc fc fc fc 00 00 00 00 04 fc fc fc fc fc fc fc
> [  671.185461]  c534b180: 00 00 00 00 04 fc fc fc fc fc fc fc fb fb fb fb
> [  671.191853]
> ==================================================================
> [  671.204460] kasan test: kmalloc_uaf2 use-after-free after another kmalloc
> [  671.204676]
> ==================================================================
> [  671.211859] BUG: KASAN: use-after-free in kmalloc_uaf2+0x9c/0xd4
> [test_kasan]
> [  671.218755] Write of size 1 at addr c534b088 by task exe/340
> [  671.224277]
> [  671.225860] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  671.225910] Call Trace:
> [  671.226085] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  671.226288] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  671.226574] [c5649ce0] [c95d45c4] kmalloc_uaf2+0x9c/0xd4 [test_kasan]
> [  671.226854] [c5649d00] [c95d5554] kmalloc_tests_init+0x5c/0x2d0
> [test_kasan]
> [  671.227044] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  671.227257] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  671.227458] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  671.227659] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  671.227853] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  671.228018] --- interrupt: c01 at 0xfd6b914
> [  671.228018]     LR = 0x1001364c
> [  671.228063]
> [  671.229387] Allocated by task 340:
> [  671.232819]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  671.233065]  kmalloc_uaf2+0x48/0xd4 [test_kasan]
> [  671.233299]  kmalloc_tests_init+0x5c/0x2d0 [test_kasan]
> [  671.233442]  do_one_initcall+0x40/0x278
> [  671.233609]  do_init_module+0xcc/0x59c
> [  671.233765]  load_module+0x2bc4/0x320c
> [  671.233922]  sys_init_module+0x114/0x138
> [  671.234066]  ret_from_syscall+0x0/0x38
> [  671.234111]
> [  671.235407] Freed by task 340:
> [  671.238491]  __kasan_slab_free+0x120/0x22c
> [  671.238609]  kfree+0x74/0x270
> [  671.238851]  kmalloc_uaf2+0x78/0xd4 [test_kasan]
> [  671.239085]  kmalloc_tests_init+0x5c/0x2d0 [test_kasan]
> [  671.239228]  do_one_initcall+0x40/0x278
> [  671.239395]  do_init_module+0xcc/0x59c
> [  671.239550]  load_module+0x2bc4/0x320c
> [  671.239707]  sys_init_module+0x114/0x138
> [  671.239850]  ret_from_syscall+0x0/0x38
> [  671.239897]
> [  671.241211] The buggy address belongs to the object at c534b060
> [  671.241211]  which belongs to the cache kmalloc-64 of size 64
> [  671.252758] The buggy address is located 40 bytes inside of
> [  671.252758]  64-byte region [c534b060, c534b0a0)
> [  671.262761] The buggy address belongs to the page:
> [  671.267547] page:c7fd9a40 count:1 mapcount:0 mapping:c5007c20 index:0x0
> [  671.267657] flags: 0x200(slab)
> [  671.267885] raw: 00000200 00000100 00000200 c5007c20 00000000
> 00aa0155 ffffffff 00000001
> [  671.267953] page dumped because: kasan: bad access detected
> [  671.267993]
> [  671.269296] Memory state around the buggy address:
> [  671.274104]  c534af80: fc fc fc fc 00 00 00 00 04 fc fc fc fc fc fc fc
> [  671.280561]  c534b000: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb
> [  671.287012] >c534b080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
> [  671.293399]               ^
> [  671.296220]  c534b100: fc fc fc fc 00 00 00 00 04 fc fc fc fc fc fc fc
> [  671.302676]  c534b180: 00 00 00 00 04 fc fc fc fc fc fc fc fb fb fb fb
> [  671.309066]
> ==================================================================
> [  671.597554] kasan test: kmem_cache_oob out-of-bounds in kmem_cache_alloc
> [  671.597819]
> ==================================================================
> [  671.604991] BUG: KASAN: slab-out-of-bounds in
> kmem_cache_oob+0x9c/0xd0 [test_kasan]
> [  671.612398] Read of size 1 at addr c5e180c8 by task exe/340
> [  671.617834]
> [  671.619417] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  671.619469] Call Trace:
> [  671.619645] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  671.619848] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  671.620138] [c5649ce0] [c95d4d10] kmem_cache_oob+0x9c/0xd0 [test_kasan]
> [  671.620420] [c5649d00] [c95d5558] kmalloc_tests_init+0x60/0x2d0
> [test_kasan]
> [  671.620611] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  671.620826] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  671.621030] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  671.621234] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  671.621428] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  671.621596] --- interrupt: c01 at 0xfd6b914
> [  671.621596]     LR = 0x1001364c
> [  671.621642]
> [  671.622944] Allocated by task 340:
> [  671.626376]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  671.626504]  kmem_cache_alloc+0xf4/0x210
> [  671.626752]  kmem_cache_oob+0x78/0xd0 [test_kasan]
> [  671.626989]  kmalloc_tests_init+0x60/0x2d0 [test_kasan]
> [  671.627135]  do_one_initcall+0x40/0x278
> [  671.627305]  do_init_module+0xcc/0x59c
> [  671.627463]  load_module+0x2bc4/0x320c
> [  671.627623]  sys_init_module+0x114/0x138
> [  671.627769]  ret_from_syscall+0x0/0x38
> [  671.627816]
> [  671.629132] Freed by task 0:
> [  671.631954] (stack is not available)
> [  671.635476]
> [  671.637007] The buggy address belongs to the object at c5e18000
> [  671.637007]  which belongs to the cache test_cache of size 200
> [  671.648642] The buggy address is located 0 bytes to the right of
> [  671.648642]  200-byte region [c5e18000, c5e180c8)
> [  671.659156] The buggy address belongs to the page:
> [  671.663942] page:c7fdf0c0 count:1 mapcount:0 mapping:c540a560 index:0x0
> [  671.664054] flags: 0x200(slab)
> [  671.664283] raw: 00000200 00000100 00000200 c540a560 00000000
> 003e007d ffffffff 00000001
> [  671.664353] page dumped because: kasan: bad access detected
> [  671.664393]
> [  671.665694] Memory state around the buggy address:
> [  671.670501]  c5e17f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  671.676954]  c5e18000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  671.683409] >c5e18080: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
> [  671.689802]                                       ^
> [  671.694680]  c5e18100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  671.701137]  c5e18180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  671.707528]
> ==================================================================
> [  671.758410]
> =============================================================================
> [  671.766368] BUG test_cache (Tainted: G    B            ): Objects
> remaining in test_cache on __kmem_cache_shutdown()
> [  671.776719]
> -----------------------------------------------------------------------------
> [  671.776719]
> [  671.786325] INFO: Slab 0x(ptrval) objects=62 used=1 fp=0x(ptrval)
> flags=0x0200
> [  671.793514] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  671.793563] Call Trace:
> [  671.793752] [c5649bf0] [c016ebe0] slab_err+0x98/0xac (unreliable)
> [  671.793956] [c5649c90] [c01748f4] __kmem_cache_shutdown+0x15c/0x338
> [  671.794160] [c5649cf0] [c013c3b4] kmem_cache_destroy+0x68/0x114
> [  671.794463] [c5649d00] [c95d5558] kmalloc_tests_init+0x60/0x2d0
> [test_kasan]
> [  671.794656] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  671.794868] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  671.795071] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  671.795275] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  671.795468] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  671.795633] --- interrupt: c01 at 0xfd6b914
> [  671.795633]     LR = 0x1001364c
> [  671.795738] INFO: Object 0x(ptrval) @offset=0
> [  671.909762] kmem_cache_destroy test_cache: Slab cache still has objects
> [  671.931546] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  671.931601] Call Trace:
> [  671.931790] [c5649cf0] [c013c45c] kmem_cache_destroy+0x110/0x114
> (unreliable)
> [  671.932116] [c5649d00] [c95d5558] kmalloc_tests_init+0x60/0x2d0
> [test_kasan]
> [  671.932310] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  671.932526] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  671.932730] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  671.932934] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  671.933130] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  671.933300] --- interrupt: c01 at 0xfd6b914
> [  671.933300]     LR = 0x1001364c
> [  671.952750] kasan test: memcg_accounted_kmem_cache allocate memcg
> accounted object
> [  672.556766] kasan test: kasan_stack_oob out-of-bounds on stack
> [  672.556850] kasan test: kasan_global_oob out-of-bounds global variable
> [  672.556922] kasan test: kasan_alloca_oob_left out-of-bounds to left
> on alloca
> [  672.556995] kasan test: kasan_alloca_oob_right out-of-bounds to right
> on alloca
> [  672.557070] kasan test: ksize_unpoisons_memory ksize() unpoisons the
> whole allocated chunk
> [  672.557200]
> ==================================================================
> [  672.564395] BUG: KASAN: slab-out-of-bounds in
> ksize_unpoisons_memory+0x8c/0xac [test_kasan]
> [  672.572578] Write of size 1 at addr c539ab40 by task exe/340
> [  672.578098]
> [  672.579682] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  672.579734] Call Trace:
> [  672.579909] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  672.580114] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  672.580406] [c5649ce0] [c95d5100] ksize_unpoisons_memory+0x8c/0xac
> [test_kasan]
> [  672.580689] [c5649d00] [c95d5570] kmalloc_tests_init+0x78/0x2d0
> [test_kasan]
> [  672.580880] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  672.581096] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  672.581299] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  672.581503] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  672.581697] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  672.581864] --- interrupt: c01 at 0xfd6b914
> [  672.581864]     LR = 0x1001364c
> [  672.581910]
> [  672.583208] Allocated by task 340:
> [  672.586642]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  672.586892]  ksize_unpoisons_memory+0x44/0xac [test_kasan]
> [  672.587129]  kmalloc_tests_init+0x78/0x2d0 [test_kasan]
> [  672.587275]  do_one_initcall+0x40/0x278
> [  672.587445]  do_init_module+0xcc/0x59c
> [  672.587602]  load_module+0x2bc4/0x320c
> [  672.587761]  sys_init_module+0x114/0x138
> [  672.587906]  ret_from_syscall+0x0/0x38
> [  672.587953]
> [  672.589227] Freed by task 338:
> [  672.592316]  __kasan_slab_free+0x120/0x22c
> [  672.592437]  kfree+0x74/0x270
> [  672.592602]  load_elf_binary+0xb0/0x162c
> [  672.592782]  search_binary_handler+0x120/0x374
> [  672.592950]  __do_execve_file+0x834/0xb20
> [  672.593114]  sys_execve+0x40/0x54
> [  672.593259]  ret_from_syscall+0x0/0x38
> [  672.593307]
> [  672.594603] The buggy address belongs to the object at c539aac0
> [  672.594603]  which belongs to the cache kmalloc-128 of size 128
> [  672.606324] The buggy address is located 0 bytes to the right of
> [  672.606324]  128-byte region [c539aac0, c539ab40)
> [  672.616840] The buggy address belongs to the page:
> [  672.621625] page:c7fd9cc0 count:1 mapcount:0 mapping:c5007a80 index:0x0
> [  672.621738] flags: 0x200(slab)
> [  672.621967] raw: 00000200 00000100 00000200 c5007a80 00000000
> 005500ab ffffffff 00000001
> [  672.622038] page dumped because: kasan: bad access detected
> [  672.622077]
> [  672.623375] Memory state around the buggy address:
> [  672.628183]  c539aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  672.634637]  c539aa80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
> [  672.641090] >c539ab00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
> [  672.647483]                                    ^
> [  672.652106]  c539ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  672.658562]  c539ac00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> [  672.664951]
> ==================================================================
> [  672.814421] kasan test: copy_user_test out-of-bounds in copy_from_user()
> [  672.814499]
> ==================================================================
> [  672.821643] BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x48/0xc4
> [  672.828089] Write of size 11 at addr c58eb020 by task exe/340
> [  672.833699]
> [  672.835280] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  672.835331] Call Trace:
> [  672.835504] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  672.835708] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  672.835929] [c5649cc0] [c0307be0] _copy_from_user+0x48/0xc4
> [  672.836230] [c5649ce0] [c95d51b4] copy_user_test+0x94/0x1bc [test_kasan]
> [  672.836512] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0
> [test_kasan]
> [  672.836703] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  672.836917] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  672.837121] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  672.837326] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  672.837522] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  672.837687] --- interrupt: c01 at 0xfd6b914
> [  672.837687]     LR = 0x1001364c
> [  672.837733]
> [  672.839067] Allocated by task 340:
> [  672.842500]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  672.842749]  copy_user_test+0x28/0x1bc [test_kasan]
> [  672.842985]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
> [  672.843131]  do_one_initcall+0x40/0x278
> [  672.843301]  do_init_module+0xcc/0x59c
> [  672.843458]  load_module+0x2bc4/0x320c
> [  672.843619]  sys_init_module+0x114/0x138
> [  672.843764]  ret_from_syscall+0x0/0x38
> [  672.843812]
> [  672.845085] Freed by task 276:
> [  672.848173]  __kasan_slab_free+0x120/0x22c
> [  672.848295]  kfree+0x74/0x270
> [  672.848427]  single_release+0x54/0x6c
> [  672.848601]  close_pdeo+0x128/0x224
> [  672.848768]  proc_reg_release+0x110/0x128
> [  672.848903]  __fput+0xec/0x2d4
> [  672.849028]  task_work_run+0x13c/0x15c
> [  672.849197]  do_notify_resume+0x3d8/0x438
> [  672.849346]  do_user_signal+0x2c/0x34
> [  672.849393]
> [  672.850719] The buggy address belongs to the object at c58eb020
> [  672.850719]  which belongs to the cache kmalloc-16 of size 16
> [  672.862264] The buggy address is located 0 bytes inside of
> [  672.862264]  16-byte region [c58eb020, c58eb030)
> [  672.872182] The buggy address belongs to the page:
> [  672.876968] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  672.877079] flags: 0x200(slab)
> [  672.877309] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  672.877377] page dumped because: kasan: bad access detected
> [  672.877418]
> [  672.878717] Memory state around the buggy address:
> [  672.883527]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
> [  672.889979]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  672.896433] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
> [  672.902824]                           ^
> [  672.906673]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  672.913129]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  672.919520]
> ==================================================================
> [  672.932289] kasan test: copy_user_test out-of-bounds in copy_to_user()
> [  672.932363]
> ==================================================================
> [  672.939457] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x9c/0xbc
> [  672.945733] Read of size 11 at addr c58eb020 by task exe/340
> [  672.951255]
> [  672.952840] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  672.952890] Call Trace:
> [  672.953061] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  672.953264] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  672.953480] [c5649cc0] [c0307cf8] _copy_to_user+0x9c/0xbc
> [  672.953781] [c5649ce0] [c95d51d4] copy_user_test+0xb4/0x1bc [test_kasan]
> [  672.954060] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0
> [test_kasan]
> [  672.954249] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  672.954461] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  672.954662] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  672.954866] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  672.955058] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  672.955224] --- interrupt: c01 at 0xfd6b914
> [  672.955224]     LR = 0x1001364c
> [  672.955269]
> [  672.956538] Allocated by task 340:
> [  672.959969]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  672.960219]  copy_user_test+0x28/0x1bc [test_kasan]
> [  672.960454]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
> [  672.960597]  do_one_initcall+0x40/0x278
> [  672.960766]  do_init_module+0xcc/0x59c
> [  672.960924]  load_module+0x2bc4/0x320c
> [  672.961081]  sys_init_module+0x114/0x138
> [  672.961226]  ret_from_syscall+0x0/0x38
> [  672.961272]
> [  672.962558] Freed by task 276:
> [  672.965645]  __kasan_slab_free+0x120/0x22c
> [  672.965764]  kfree+0x74/0x270
> [  672.965896]  single_release+0x54/0x6c
> [  672.966070]  close_pdeo+0x128/0x224
> [  672.966236]  proc_reg_release+0x110/0x128
> [  672.966369]  __fput+0xec/0x2d4
> [  672.966493]  task_work_run+0x13c/0x15c
> [  672.966660]  do_notify_resume+0x3d8/0x438
> [  672.966809]  do_user_signal+0x2c/0x34
> [  672.966855]
> [  672.968190] The buggy address belongs to the object at c58eb020
> [  672.968190]  which belongs to the cache kmalloc-16 of size 16
> [  672.979735] The buggy address is located 0 bytes inside of
> [  672.979735]  16-byte region [c58eb020, c58eb030)
> [  672.989653] The buggy address belongs to the page:
> [  672.994439] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  672.994550] flags: 0x200(slab)
> [  672.994778] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  672.994845] page dumped because: kasan: bad access detected
> [  672.994885]
> [  672.996188] Memory state around the buggy address:
> [  673.000996]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
> [  673.007450]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.013904] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
> [  673.020295]                           ^
> [  673.024144]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.030600]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.036990]
> ==================================================================
> [  673.327457] kasan test: copy_user_test out-of-bounds in
> __copy_from_user()
> [  673.327537]
> ==================================================================
> [  673.334723] BUG: KASAN: slab-out-of-bounds in
> copy_user_test+0xd0/0x1bc [test_kasan]
> [  673.342217] Write of size 11 at addr c58eb020 by task exe/340
> [  673.347825]
> [  673.349408] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  673.349459] Call Trace:
> [  673.349637] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  673.349842] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  673.350130] [c5649ce0] [c95d51f0] copy_user_test+0xd0/0x1bc [test_kasan]
> [  673.350412] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0
> [test_kasan]
> [  673.350605] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  673.350821] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  673.351025] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  673.351231] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  673.351426] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  673.351592] --- interrupt: c01 at 0xfd6b914
> [  673.351592]     LR = 0x1001364c
> [  673.351638]
> [  673.352936] Allocated by task 340:
> [  673.356367]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  673.356619]  copy_user_test+0x28/0x1bc [test_kasan]
> [  673.356855]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
> [  673.357000]  do_one_initcall+0x40/0x278
> [  673.357168]  do_init_module+0xcc/0x59c
> [  673.357324]  load_module+0x2bc4/0x320c
> [  673.357483]  sys_init_module+0x114/0x138
> [  673.357626]  ret_from_syscall+0x0/0x38
> [  673.357673]
> [  673.358954] Freed by task 276:
> [  673.362040]  __kasan_slab_free+0x120/0x22c
> [  673.362161]  kfree+0x74/0x270
> [  673.362293]  single_release+0x54/0x6c
> [  673.362465]  close_pdeo+0x128/0x224
> [  673.362632]  proc_reg_release+0x110/0x128
> [  673.362764]  __fput+0xec/0x2d4
> [  673.362888]  task_work_run+0x13c/0x15c
> [  673.363057]  do_notify_resume+0x3d8/0x438
> [  673.363208]  do_user_signal+0x2c/0x34
> [  673.363256]
> [  673.364587] The buggy address belongs to the object at c58eb020
> [  673.364587]  which belongs to the cache kmalloc-16 of size 16
> [  673.376132] The buggy address is located 0 bytes inside of
> [  673.376132]  16-byte region [c58eb020, c58eb030)
> [  673.386050] The buggy address belongs to the page:
> [  673.390836] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  673.390947] flags: 0x200(slab)
> [  673.391175] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  673.391245] page dumped because: kasan: bad access detected
> [  673.391285]
> [  673.392585] Memory state around the buggy address:
> [  673.397393]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
> [  673.403847]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.410301] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
> [  673.416691]                           ^
> [  673.420541]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.426997]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.433387]
> ==================================================================
> [  673.446960] kasan test: copy_user_test out-of-bounds in __copy_to_user()
> [  673.447031]
> ==================================================================
> [  673.454258] BUG: KASAN: slab-out-of-bounds in
> copy_user_test+0xfc/0x1bc [test_kasan]
> [  673.461753] Read of size 11 at addr c58eb020 by task exe/340
> [  673.467275]
> [  673.468858] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  673.468909] Call Trace:
> [  673.469084] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  673.469286] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  673.469573] [c5649ce0] [c95d521c] copy_user_test+0xfc/0x1bc [test_kasan]
> [  673.469851] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0
> [test_kasan]
> [  673.470042] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  673.470256] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  673.470457] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  673.470660] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  673.470853] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  673.471019] --- interrupt: c01 at 0xfd6b914
> [  673.471019]     LR = 0x1001364c
> [  673.471064]
> [  673.472385] Allocated by task 340:
> [  673.475818]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  673.476065]  copy_user_test+0x28/0x1bc [test_kasan]
> [  673.476301]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
> [  673.476444]  do_one_initcall+0x40/0x278
> [  673.476612]  do_init_module+0xcc/0x59c
> [  673.476768]  load_module+0x2bc4/0x320c
> [  673.476925]  sys_init_module+0x114/0x138
> [  673.477067]  ret_from_syscall+0x0/0x38
> [  673.477113]
> [  673.478403] Freed by task 276:
> [  673.481490]  __kasan_slab_free+0x120/0x22c
> [  673.481610]  kfree+0x74/0x270
> [  673.481740]  single_release+0x54/0x6c
> [  673.481911]  close_pdeo+0x128/0x224
> [  673.482077]  proc_reg_release+0x110/0x128
> [  673.482209]  __fput+0xec/0x2d4
> [  673.482331]  task_work_run+0x13c/0x15c
> [  673.482500]  do_notify_resume+0x3d8/0x438
> [  673.482648]  do_user_signal+0x2c/0x34
> [  673.482694]
> [  673.484036] The buggy address belongs to the object at c58eb020
> [  673.484036]  which belongs to the cache kmalloc-16 of size 16
> [  673.495583] The buggy address is located 0 bytes inside of
> [  673.495583]  16-byte region [c58eb020, c58eb030)
> [  673.505500] The buggy address belongs to the page:
> [  673.510287] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  673.510396] flags: 0x200(slab)
> [  673.510622] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  673.510690] page dumped because: kasan: bad access detected
> [  673.510729]
> [  673.512037] Memory state around the buggy address:
> [  673.516842]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
> [  673.523297]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.529751] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
> [  673.536142]                           ^
> [  673.539991]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.546447]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.552838]
> ==================================================================
> [  673.835827] kasan test: copy_user_test out-of-bounds in
> __copy_from_user_inatomic()
> [  673.835905]
> ==================================================================
> [  673.843082] BUG: KASAN: slab-out-of-bounds in
> copy_user_test+0x128/0x1bc [test_kasan]
> [  673.850662] Write of size 11 at addr c58eb020 by task exe/340
> [  673.856272]
> [  673.857853] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  673.857905] Call Trace:
> [  673.858080] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  673.858285] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  673.858574] [c5649ce0] [c95d5248] copy_user_test+0x128/0x1bc [test_kasan]
> [  673.858855] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0
> [test_kasan]
> [  673.859046] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  673.859261] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  673.859463] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  673.859668] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  673.859863] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  673.860029] --- interrupt: c01 at 0xfd6b914
> [  673.860029]     LR = 0x1001364c
> [  673.860075]
> [  673.861380] Allocated by task 340:
> [  673.864812]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  673.865062]  copy_user_test+0x28/0x1bc [test_kasan]
> [  673.865299]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
> [  673.865444]  do_one_initcall+0x40/0x278
> [  673.865615]  do_init_module+0xcc/0x59c
> [  673.865773]  load_module+0x2bc4/0x320c
> [  673.865932]  sys_init_module+0x114/0x138
> [  673.866077]  ret_from_syscall+0x0/0x38
> [  673.866123]
> [  673.867399] Freed by task 276:
> [  673.870488]  __kasan_slab_free+0x120/0x22c
> [  673.870609]  kfree+0x74/0x270
> [  673.870741]  single_release+0x54/0x6c
> [  673.870913]  close_pdeo+0x128/0x224
> [  673.871080]  proc_reg_release+0x110/0x128
> [  673.871213]  __fput+0xec/0x2d4
> [  673.871337]  task_work_run+0x13c/0x15c
> [  673.871506]  do_notify_resume+0x3d8/0x438
> [  673.871655]  do_user_signal+0x2c/0x34
> [  673.871702]
> [  673.873032] The buggy address belongs to the object at c58eb020
> [  673.873032]  which belongs to the cache kmalloc-16 of size 16
> [  673.884578] The buggy address is located 0 bytes inside of
> [  673.884578]  16-byte region [c58eb020, c58eb030)
> [  673.894494] The buggy address belongs to the page:
> [  673.899282] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  673.899395] flags: 0x200(slab)
> [  673.899625] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  673.899694] page dumped because: kasan: bad access detected
> [  673.899734]
> [  673.901033] Memory state around the buggy address:
> [  673.905838]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
> [  673.912293]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.918748] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
> [  673.925136]                           ^
> [  673.928987]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.935442]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  673.941833]
> ==================================================================
> [  673.954463] kasan test: copy_user_test out-of-bounds in
> __copy_to_user_inatomic()
> [  673.954535]
> ==================================================================
> [  673.961759] BUG: KASAN: slab-out-of-bounds in
> copy_user_test+0x154/0x1bc [test_kasan]
> [  673.969339] Read of size 11 at addr c58eb020 by task exe/340
> [  673.974860]
> [  673.976444] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  673.976494] Call Trace:
> [  673.976668] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  673.976870] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  673.977160] [c5649ce0] [c95d5274] copy_user_test+0x154/0x1bc [test_kasan]
> [  673.977439] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0
> [test_kasan]
> [  673.977630] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  673.977843] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  673.978045] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  673.978249] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  673.978441] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  673.978607] --- interrupt: c01 at 0xfd6b914
> [  673.978607]     LR = 0x1001364c
> [  673.978651]
> [  673.979971] Allocated by task 340:
> [  673.983401]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  673.983650]  copy_user_test+0x28/0x1bc [test_kasan]
> [  673.983885]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
> [  673.984030]  do_one_initcall+0x40/0x278
> [  673.984198]  do_init_module+0xcc/0x59c
> [  673.984354]  load_module+0x2bc4/0x320c
> [  673.984512]  sys_init_module+0x114/0x138
> [  673.984655]  ret_from_syscall+0x0/0x38
> [  673.984701]
> [  673.985990] Freed by task 276:
> [  673.989077]  __kasan_slab_free+0x120/0x22c
> [  673.989197]  kfree+0x74/0x270
> [  673.989327]  single_release+0x54/0x6c
> [  673.989499]  close_pdeo+0x128/0x224
> [  673.989664]  proc_reg_release+0x110/0x128
> [  673.989796]  __fput+0xec/0x2d4
> [  673.989918]  task_work_run+0x13c/0x15c
> [  673.990086]  do_notify_resume+0x3d8/0x438
> [  673.990235]  do_user_signal+0x2c/0x34
> [  673.990281]
> [  673.991622] The buggy address belongs to the object at c58eb020
> [  673.991622]  which belongs to the cache kmalloc-16 of size 16
> [  674.003168] The buggy address is located 0 bytes inside of
> [  674.003168]  16-byte region [c58eb020, c58eb030)
> [  674.013086] The buggy address belongs to the page:
> [  674.017872] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  674.017982] flags: 0x200(slab)
> [  674.018210] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  674.018277] page dumped because: kasan: bad access detected
> [  674.018316]
> [  674.019622] Memory state around the buggy address:
> [  674.024429]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
> [  674.030883]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  674.037338] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
> [  674.043727]                           ^
> [  674.047578]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  674.054034]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  674.060424]
> ==================================================================
> [  674.346609] kasan test: copy_user_test out-of-bounds in
> strncpy_from_user()
> [  674.346689]
> ==================================================================
> [  674.353778] BUG: KASAN: slab-out-of-bounds in
> strncpy_from_user+0x48/0x240
> [  674.360487] Write of size 11 at addr c58eb020 by task exe/340
> [  674.366094]
> [  674.367678] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  674.367731] Call Trace:
> [  674.367904] [c5649c40] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  674.368108] [c5649c70] [c0176d34] kasan_report+0xe4/0x168
> [  674.368323] [c5649cb0] [c03202f8] strncpy_from_user+0x48/0x240
> [  674.368627] [c5649ce0] [c95d52a4] copy_user_test+0x184/0x1bc [test_kasan]
> [  674.368908] [c5649d00] [c95d5574] kmalloc_tests_init+0x7c/0x2d0
> [test_kasan]
> [  674.369100] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  674.369315] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  674.369518] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  674.369724] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  674.369919] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  674.370086] --- interrupt: c01 at 0xfd6b914
> [  674.370086]     LR = 0x1001364c
> [  674.370132]
> [  674.371463] Allocated by task 340:
> [  674.374894]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  674.375146]  copy_user_test+0x28/0x1bc [test_kasan]
> [  674.375383]  kmalloc_tests_init+0x7c/0x2d0 [test_kasan]
> [  674.375527]  do_one_initcall+0x40/0x278
> [  674.375697]  do_init_module+0xcc/0x59c
> [  674.375854]  load_module+0x2bc4/0x320c
> [  674.376015]  sys_init_module+0x114/0x138
> [  674.376162]  ret_from_syscall+0x0/0x38
> [  674.376209]
> [  674.377481] Freed by task 276:
> [  674.380568]  __kasan_slab_free+0x120/0x22c
> [  674.380691]  kfree+0x74/0x270
> [  674.380824]  single_release+0x54/0x6c
> [  674.380998]  close_pdeo+0x128/0x224
> [  674.381165]  proc_reg_release+0x110/0x128
> [  674.381299]  __fput+0xec/0x2d4
> [  674.381424]  task_work_run+0x13c/0x15c
> [  674.381592]  do_notify_resume+0x3d8/0x438
> [  674.381743]  do_user_signal+0x2c/0x34
> [  674.381792]
> [  674.383113] The buggy address belongs to the object at c58eb020
> [  674.383113]  which belongs to the cache kmalloc-16 of size 16
> [  674.394659] The buggy address is located 0 bytes inside of
> [  674.394659]  16-byte region [c58eb020, c58eb030)
> [  674.404577] The buggy address belongs to the page:
> [  674.409363] page:c7fdc740 count:1 mapcount:0 mapping:c5007dc0 index:0x0
> [  674.409474] flags: 0x200(slab)
> [  674.409703] raw: 00000200 00000100 00000200 c5007dc0 00000000
> 02000401 ffffffff 00000001
> [  674.409772] page dumped because: kasan: bad access detected
> [  674.409812]
> [  674.411112] Memory state around the buggy address:
> [  674.415920]  c58eaf00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
> [  674.422374]  c58eaf80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  674.428827] >c58eb000: fb fb fc fc 00 02 fc fc fb fb fc fc fb fb fc fc
> [  674.435218]                           ^
> [  674.439067]  c58eb080: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  674.445524]  c58eb100: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
> [  674.451914]
> ==================================================================
> [  674.466513] kasan test: use_after_scope_test use-after-scope on int
> [  674.466592] kasan test: use_after_scope_test use-after-scope on array
> [  674.470775] kasan test: kmem_cache_double_free double-free on heap object
> [  674.471059]
> ==================================================================
> [  674.478286] BUG: KASAN: double-free or invalid-free in
> kmem_cache_double_free+0xac/0xc4 [test_kasan]
> [  674.487095]
> [  674.488679] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  674.488730] Call Trace:
> [  674.488906] [c5649b30] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  674.489118] [c5649b60] [c0176c24] kasan_report_invalid_free+0x48/0x74
> [  674.489296] [c5649b90] [c0175620] __kasan_slab_free+0x198/0x22c
> [  674.489467] [c5649cc0] [c0173838] kmem_cache_free+0x64/0x228
> [  674.489754] [c5649ce0] [c95d4df0] kmem_cache_double_free+0xac/0xc4
> [test_kasan]
> [  674.490029] [c5649d00] [c95d557c] kmalloc_tests_init+0x84/0x2d0
> [test_kasan]
> [  674.490219] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  674.490432] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  674.490633] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  674.490837] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  674.491031] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  674.491194] --- interrupt: c01 at 0xfd6b914
> [  674.491194]     LR = 0x1001364c
> [  674.491239]
> [  674.492547] Allocated by task 340:
> [  674.495981]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  674.496108]  kmem_cache_alloc+0xf4/0x210
> [  674.496355]  kmem_cache_double_free+0x78/0xc4 [test_kasan]
> [  674.496584]  kmalloc_tests_init+0x84/0x2d0 [test_kasan]
> [  674.496727]  do_one_initcall+0x40/0x278
> [  674.496893]  do_init_module+0xcc/0x59c
> [  674.497050]  load_module+0x2bc4/0x320c
> [  674.497208]  sys_init_module+0x114/0x138
> [  674.497354]  ret_from_syscall+0x0/0x38
> [  674.497400]
> [  674.498652] Freed by task 340:
> [  674.501739]  __kasan_slab_free+0x120/0x22c
> [  674.501866]  kmem_cache_free+0x64/0x228
> [  674.502112]  kmem_cache_double_free+0xa0/0xc4 [test_kasan]
> [  674.502340]  kmalloc_tests_init+0x84/0x2d0 [test_kasan]
> [  674.502483]  do_one_initcall+0x40/0x278
> [  674.502650]  do_init_module+0xcc/0x59c
> [  674.502807]  load_module+0x2bc4/0x320c
> [  674.502966]  sys_init_module+0x114/0x138
> [  674.503112]  ret_from_syscall+0x0/0x38
> [  674.503158]
> [  674.504460] The buggy address belongs to the object at c5528000
> [  674.504460]  which belongs to the cache test_cache of size 200
> [  674.516091] The buggy address is located 0 bytes inside of
> [  674.516091]  200-byte region [c5528000, c55280c8)
> [  674.526092] The buggy address belongs to the page:
> [  674.530877] page:c7fda940 count:1 mapcount:0 mapping:c540a700 index:0x0
> [  674.530988] flags: 0x200(slab)
> [  674.531216] raw: 00000200 00000100 00000200 c540a700 00000000
> 003e007d ffffffff 00000001
> [  674.531284] page dumped because: kasan: bad access detected
> [  674.531323]
> [  674.532630] Memory state around the buggy address:
> [  674.537436]  c5527f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  674.543890]  c5527f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  674.550345] >c5528000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  674.556731]            ^
> [  674.559293]  c5528080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
> [  674.565750]  c5528100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  674.572138]
> ==================================================================
> [  674.880790] kasan test: kmem_cache_invalid_free invalid-free of heap
> object
> [  674.881044]
> ==================================================================
> [  674.888197] BUG: KASAN: double-free or invalid-free in
> kmem_cache_invalid_free+0xa0/0xc4 [test_kasan]
> [  674.897089]
> [  674.898670] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  674.898722] Call Trace:
> [  674.898899] [c5649b30] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  674.899113] [c5649b60] [c0176c24] kasan_report_invalid_free+0x48/0x74
> [  674.899293] [c5649b90] [c0175620] __kasan_slab_free+0x198/0x22c
> [  674.899467] [c5649cc0] [c0173838] kmem_cache_free+0x64/0x228
> [  674.899756] [c5649ce0] [c95d4ea8] kmem_cache_invalid_free+0xa0/0xc4
> [test_kasan]
> [  674.900031] [c5649d00] [c95d5580] kmalloc_tests_init+0x88/0x2d0
> [test_kasan]
> [  674.900222] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  674.900437] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  674.900639] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  674.900845] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  674.901040] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  674.901206] --- interrupt: c01 at 0xfd6b914
> [  674.901206]     LR = 0x1001364c
> [  674.901251]
> [  674.902542] Allocated by task 340:
> [  674.905975]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  674.906103]  kmem_cache_alloc+0xf4/0x210
> [  674.906351]  kmem_cache_invalid_free+0x78/0xc4 [test_kasan]
> [  674.906584]  kmalloc_tests_init+0x88/0x2d0 [test_kasan]
> [  674.906730]  do_one_initcall+0x40/0x278
> [  674.906899]  do_init_module+0xcc/0x59c
> [  674.907056]  load_module+0x2bc4/0x320c
> [  674.907217]  sys_init_module+0x114/0x138
> [  674.907364]  ret_from_syscall+0x0/0x38
> [  674.907411]
> [  674.908731] Freed by task 0:
> [  674.911551] (stack is not available)
> [  674.915074]
> [  674.916605] The buggy address belongs to the object at c5528000
> [  674.916605]  which belongs to the cache test_cache of size 200
> [  674.928237] The buggy address is located 1 bytes inside of
> [  674.928237]  200-byte region [c5528000, c55280c8)
> [  674.938237] The buggy address belongs to the page:
> [  674.943024] page:c7fda940 count:1 mapcount:0 mapping:c540a7d0 index:0x0
> [  674.943136] flags: 0x200(slab)
> [  674.943365] raw: 00000200 00000100 00000200 c540a7d0 00000000
> 003e007d ffffffff 00000001
> [  674.943434] page dumped because: kasan: bad access detected
> [  674.943475]
> [  674.944775] Memory state around the buggy address:
> [  674.949581]  c5527f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  674.956036]  c5527f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  674.962491] >c5528000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [  674.968876]            ^
> [  674.971438]  c5528080: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
> [  674.977895]  c5528100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [  674.984285]
> ==================================================================
> [  675.126818] kasan test: kasan_memchr out-of-bounds in memchr
> [  675.126994] kasan test: kasan_memcmp out-of-bounds in memcmp
> [  675.127158] kasan test: kasan_strings use-after-free in strchr
> [  675.127309]
> ==================================================================
> [  675.134382] BUG: KASAN: use-after-free in strchr+0x1c/0x80
> [  675.139762] Read of size 1 at addr c53e8e20 by task exe/340
> [  675.145200]
> [  675.146784] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  675.146836] Call Trace:
> [  675.147010] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  675.147215] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  675.147385] [c5649cc0] [c072ec4c] strchr+0x1c/0x80
> [  675.147684] [c5649ce0] [c95d5440] kasan_strings+0x60/0x118 [test_kasan]
> [  675.147966] [c5649d00] [c95d558c] kmalloc_tests_init+0x94/0x2d0
> [test_kasan]
> [  675.148157] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  675.148372] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  675.148577] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  675.148781] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  675.148976] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  675.149143] --- interrupt: c01 at 0xfd6b914
> [  675.149143]     LR = 0x1001364c
> [  675.149189]
> [  675.150483] Allocated by task 340:
> [  675.153915]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  675.154163]  kasan_strings+0x44/0x118 [test_kasan]
> [  675.154400]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
> [  675.154545]  do_one_initcall+0x40/0x278
> [  675.154714]  do_init_module+0xcc/0x59c
> [  675.154872]  load_module+0x2bc4/0x320c
> [  675.155033]  sys_init_module+0x114/0x138
> [  675.155179]  ret_from_syscall+0x0/0x38
> [  675.155225]
> [  675.156501] Freed by task 340:
> [  675.159587]  __kasan_slab_free+0x120/0x22c
> [  675.159709]  kfree+0x74/0x270
> [  675.159954]  kasan_strings+0x54/0x118 [test_kasan]
> [  675.160191]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
> [  675.160337]  do_one_initcall+0x40/0x278
> [  675.160508]  do_init_module+0xcc/0x59c
> [  675.160667]  load_module+0x2bc4/0x320c
> [  675.160828]  sys_init_module+0x114/0x138
> [  675.160973]  ret_from_syscall+0x0/0x38
> [  675.161019]
> [  675.162306] The buggy address belongs to the object at c53e8e10
> [  675.162306]  which belongs to the cache kmalloc-32 of size 32
> [  675.173853] The buggy address is located 16 bytes inside of
> [  675.173853]  32-byte region [c53e8e10, c53e8e30)
> [  675.183856] The buggy address belongs to the page:
> [  675.188642] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
> [  675.188753] flags: 0x200(slab)
> [  675.188982] raw: 00000200 00000100 00000200 c5007cf0 00000000
> 015502ab ffffffff 00000001
> [  675.189051] page dumped because: kasan: bad access detected
> [  675.189091]
> [  675.190392] Memory state around the buggy address:
> [  675.195199]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
> [  675.201653]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
> [  675.208108] >c53e8e00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fb fb
> [  675.214497]                        ^
> [  675.218089]  c53e8e80: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
> [  675.224544]  c53e8f00: 00 00 00 04 fc fc fb fb fb fb fc fc fb fb fb fb
> [  675.230935]
> ==================================================================
> [  675.383353] kasan test: kasan_strings use-after-free in strrchr
> [  675.383430]
> ==================================================================
> [  675.390498] BUG: KASAN: use-after-free in strrchr+0x30/0x64
> [  675.395964] Read of size 1 at addr c53e8e20 by task exe/340
> [  675.401403]
> [  675.402986] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  675.403038] Call Trace:
> [  675.403212] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  675.403415] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  675.403587] [c5649cc0] [c072ed48] strrchr+0x30/0x64
> [  675.403888] [c5649ce0] [c95d545c] kasan_strings+0x7c/0x118 [test_kasan]
> [  675.404170] [c5649d00] [c95d558c] kmalloc_tests_init+0x94/0x2d0
> [test_kasan]
> [  675.404362] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  675.404576] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  675.404779] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  675.404983] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  675.405177] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  675.405344] --- interrupt: c01 at 0xfd6b914
> [  675.405344]     LR = 0x1001364c
> [  675.405390]
> [  675.406684] Allocated by task 340:
> [  675.410118]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  675.410366]  kasan_strings+0x44/0x118 [test_kasan]
> [  675.410603]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
> [  675.410750]  do_one_initcall+0x40/0x278
> [  675.410919]  do_init_module+0xcc/0x59c
> [  675.411078]  load_module+0x2bc4/0x320c
> [  675.411238]  sys_init_module+0x114/0x138
> [  675.411384]  ret_from_syscall+0x0/0x38
> [  675.411430]
> [  675.412704] Freed by task 340:
> [  675.415789]  __kasan_slab_free+0x120/0x22c
> [  675.415910]  kfree+0x74/0x270
> [  675.416155]  kasan_strings+0x54/0x118 [test_kasan]
> [  675.416391]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
> [  675.416537]  do_one_initcall+0x40/0x278
> [  675.416706]  do_init_module+0xcc/0x59c
> [  675.416865]  load_module+0x2bc4/0x320c
> [  675.417024]  sys_init_module+0x114/0x138
> [  675.417169]  ret_from_syscall+0x0/0x38
> [  675.417215]
> [  675.418509] The buggy address belongs to the object at c53e8e10
> [  675.418509]  which belongs to the cache kmalloc-32 of size 32
> [  675.430055] The buggy address is located 16 bytes inside of
> [  675.430055]  32-byte region [c53e8e10, c53e8e30)
> [  675.440057] The buggy address belongs to the page:
> [  675.444844] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
> [  675.444955] flags: 0x200(slab)
> [  675.445184] raw: 00000200 00000100 00000200 c5007cf0 00000000
> 015502ab ffffffff 00000001
> [  675.445253] page dumped because: kasan: bad access detected
> [  675.445293]
> [  675.446595] Memory state around the buggy address:
> [  675.451401]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
> [  675.457856]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
> [  675.464310] >c53e8e00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fb fb
> [  675.470698]                        ^
> [  675.474291]  c53e8e80: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
> [  675.480747]  c53e8f00: 00 00 00 04 fc fc fb fb fb fb fc fc fb fb fb fb
> [  675.487138]
> ==================================================================
> [  675.500419] kasan test: kasan_strings use-after-free in strcmp
> [  675.500491]
> ==================================================================
> [  675.507536] BUG: KASAN: use-after-free in strcmp+0x30/0x90
> [  675.512918] Read of size 1 at addr c53e8e20 by task exe/340
> [  675.518358]
> [  675.519942] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  675.519994] Call Trace:
> [  675.520167] [c5649c50] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  675.520369] [c5649c80] [c0176d34] kasan_report+0xe4/0x168
> [  675.520536] [c5649cc0] [c072ebd0] strcmp+0x30/0x90
> [  675.520833] [c5649ce0] [c95d5480] kasan_strings+0xa0/0x118 [test_kasan]
> [  675.521113] [c5649d00] [c95d558c] kmalloc_tests_init+0x94/0x2d0
> [test_kasan]
> [  675.521303] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  675.521514] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  675.521716] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  675.521919] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  675.522111] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  675.522275] --- interrupt: c01 at 0xfd6b914
> [  675.522275]     LR = 0x1001364c
> [  675.522320]
> [  675.523640] Allocated by task 340:
> [  675.527073]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  675.527321]  kasan_strings+0x44/0x118 [test_kasan]
> [  675.527556]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
> [  675.527699]  do_one_initcall+0x40/0x278
> [  675.527867]  do_init_module+0xcc/0x59c
> [  675.528024]  load_module+0x2bc4/0x320c
> [  675.528182]  sys_init_module+0x114/0x138
> [  675.528327]  ret_from_syscall+0x0/0x38
> [  675.528373]
> [  675.529658] Freed by task 340:
> [  675.532745]  __kasan_slab_free+0x120/0x22c
> [  675.532865]  kfree+0x74/0x270
> [  675.533109]  kasan_strings+0x54/0x118 [test_kasan]
> [  675.533343]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
> [  675.533486]  do_one_initcall+0x40/0x278
> [  675.533654]  do_init_module+0xcc/0x59c
> [  675.533810]  load_module+0x2bc4/0x320c
> [  675.533967]  sys_init_module+0x114/0x138
> [  675.534112]  ret_from_syscall+0x0/0x38
> [  675.534157]
> [  675.535463] The buggy address belongs to the object at c53e8e10
> [  675.535463]  which belongs to the cache kmalloc-32 of size 32
> [  675.547010] The buggy address is located 16 bytes inside of
> [  675.547010]  32-byte region [c53e8e10, c53e8e30)
> [  675.557012] The buggy address belongs to the page:
> [  675.561799] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
> [  675.561909] flags: 0x200(slab)
> [  675.562137] raw: 00000200 00000100 00000200 c5007cf0 00000000
> 015502ab ffffffff 00000001
> [  675.562204] page dumped because: kasan: bad access detected
> [  675.562243]
> [  675.563549] Memory state around the buggy address:
> [  675.568356]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
> [  675.574809]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
> [  675.581265] >c53e8e00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fb fb
> [  675.587653]                        ^
> [  675.591247]  c53e8e80: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
> [  675.597702]  c53e8f00: 00 00 00 04 fc fc fb fb fb fb fc fc fb fb fb fb
> [  675.604091]
> ==================================================================
> [  675.894391] kasan test: kasan_strings use-after-free in strncmp
> [  675.894468] kasan test: kasan_strings use-after-free in strlen
> [  675.894536] kasan test: kasan_strings use-after-free in strnlen
> [  675.894600]
> ==================================================================
> [  675.901698] BUG: KASAN: use-after-free in strnlen+0x24/0x88
> [  675.907165] Read of size 1 at addr c53e8e20 by task exe/340
> [  675.912603]
> [  675.914186] CPU: 0 PID: 340 Comm: exe Tainted: G    B
> 5.0.0-rc2-s3k-dev-00559-g88aa407c4bce-dirty #778
> [  675.914237] Call Trace:
> [  675.914412] [c5649c70] [c0176998]
> print_address_description+0x6c/0x2b0 (unreliable)
> [  675.914617] [c5649ca0] [c0176d34] kasan_report+0xe4/0x168
> [  675.914788] [c5649ce0] [c072eeb4] strnlen+0x24/0x88
> [  675.915091] [c5649d00] [c95d558c] kmalloc_tests_init+0x94/0x2d0
> [test_kasan]
> [  675.915283] [c5649d10] [c0003a44] do_one_initcall+0x40/0x278
> [  675.915497] [c5649d80] [c00b2bc0] do_init_module+0xcc/0x59c
> [  675.915700] [c5649db0] [c00b1384] load_module+0x2bc4/0x320c
> [  675.915904] [c5649ec0] [c00b1ae0] sys_init_module+0x114/0x138
> [  675.916099] [c5649f40] [c001211c] ret_from_syscall+0x0/0x38
> [  675.916267] --- interrupt: c01 at 0xfd6b914
> [  675.916267]     LR = 0x1001364c
> [  675.916312]
> [  675.917626] Allocated by task 340:
> [  675.921059]  __kasan_kmalloc.isra.0+0xc8/0x1b0
> [  675.921309]  kasan_strings+0x44/0x118 [test_kasan]
> [  675.921546]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
> [  675.921690]  do_one_initcall+0x40/0x278
> [  675.921858]  do_init_module+0xcc/0x59c
> [  675.922016]  load_module+0x2bc4/0x320c
> [  675.922174]  sys_init_module+0x114/0x138
> [  675.922318]  ret_from_syscall+0x0/0x38
> [  675.922365]
> [  675.923645] Freed by task 340:
> [  675.926731]  __kasan_slab_free+0x120/0x22c
> [  675.926851]  kfree+0x74/0x270
> [  675.927097]  kasan_strings+0x54/0x118 [test_kasan]
> [  675.927334]  kmalloc_tests_init+0x94/0x2d0 [test_kasan]
> [  675.927479]  do_one_initcall+0x40/0x278
> [  675.927647]  do_init_module+0xcc/0x59c
> [  675.927804]  load_module+0x2bc4/0x320c
> [  675.927962]  sys_init_module+0x114/0x138
> [  675.928107]  ret_from_syscall+0x0/0x38
> [  675.928154]
> [  675.929450] The buggy address belongs to the object at c53e8e10
> [  675.929450]  which belongs to the cache kmalloc-32 of size 32
> [  675.940997] The buggy address is located 16 bytes inside of
> [  675.940997]  32-byte region [c53e8e10, c53e8e30)
> [  675.950999] The buggy address belongs to the page:
> [  675.955786] page:c7fd9f40 count:1 mapcount:0 mapping:c5007cf0 index:0x0
> [  675.955897] flags: 0x200(slab)
> [  675.956127] raw: 00000200 00000100 00000200 c5007cf0 00000000
> 015502ab ffffffff 00000001
> [  675.956196] page dumped because: kasan: bad access detected
> [  675.956236]
> [  675.957536] Memory state around the buggy address:
> [  675.962343]  c53e8d00: 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00 fc fc
> [  675.968796]  c53e8d80: 00 00 00 00 fc fc 00 00 00 00 fc fc 00 00 00 00
> [  675.975251] >c53e8e00: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc fb fb
> [  675.981640]                        ^
> [  675.985233]  c53e8e80: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
> [  675.991688]  c53e8f00: 00 00 00 04 fc fc fb fb fb fb fc fc fb fb fb fb
> [  675.998080]
> ==================================================================
> [  721.624809] random: crng init done

^ permalink raw reply	[flat|nested] 19+ messages in thread

end of thread, back to index

Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-12 11:16 [PATCH v3 0/3] KASAN for powerpc/32 Christophe Leroy
2019-01-12 11:16 ` [PATCH v3 1/3] powerpc/mm: prepare kernel for KAsan on PPC32 Christophe Leroy
2019-01-14  9:34   ` Dmitry Vyukov
2019-01-15  7:27     ` Christophe Leroy
2019-01-15 11:14       ` Dmitry Vyukov
2019-01-15 17:07         ` Andrey Ryabinin
2019-01-15 17:10           ` Dmitry Vyukov
2019-01-15 17:25             ` Christophe Leroy
2019-01-16 10:03               ` Dmitry Vyukov
2019-01-12 11:16 ` [PATCH v3 2/3] powerpc/32: Move early_init() in a separate file Christophe Leroy
2019-01-12 11:16 ` [PATCH v3 3/3] powerpc/32: Add KASAN support Christophe Leroy
2019-01-15 17:23   ` Andrey Ryabinin
2019-01-21  7:17     ` Christophe Leroy
2019-01-21  8:30       ` Dmitry Vyukov
2019-01-21  8:37         ` Christophe Leroy
2019-01-21  9:24           ` Dmitry Vyukov
2019-01-21  9:30             ` Christophe Leroy
2019-01-21 10:36     ` Christophe Leroy
2019-01-21 12:33       ` Dmitry Vyukov

LinuxPPC-Dev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linuxppc-dev/0 linuxppc-dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linuxppc-dev linuxppc-dev/ https://lore.kernel.org/linuxppc-dev \
		linuxppc-dev@lists.ozlabs.org linuxppc-dev@ozlabs.org linuxppc-dev@archiver.kernel.org
	public-inbox-index linuxppc-dev


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.ozlabs.lists.linuxppc-dev


AGPL code for this site: git clone https://public-inbox.org/ public-inbox