From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: He Ying <heying24@huawei.com>, Wanming Hu <huwanming@huaweil.com>,
Chen Jingwen <chenjingwen6@huawei.com>,
Kees Cook <keescook@chromium.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Sasha Levin <sashal@kernel.org>,
benh@kernel.crashing.org, paulus@samba.org,
linuxppc-dev@lists.ozlabs.org
Subject: [PATCH AUTOSEL 5.10 01/29] powerpc/kasan: Silence KASAN warnings in __get_wchan()
Date: Mon, 13 Jun 2022 22:07:47 -0400 [thread overview]
Message-ID: <20220614020815.1099999-1-sashal@kernel.org> (raw)
From: He Ying <heying24@huawei.com>
[ Upstream commit a1b29ba2f2c171b9bea73be993bfdf0a62d37d15 ]
The following KASAN warning was reported in our kernel.
BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
Read of size 4 at addr d216f958 by task ps/14437
CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
Call Trace:
[daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable)
[daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570
[daa63908] [c035d6bc] kasan_report+0x1ac/0x218
[daa63948] [c00496e8] get_wchan+0x188/0x250
[daa63978] [c0461ec8] do_task_stat+0xce8/0xe60
[daa63b98] [c0455ac8] proc_single_show+0x98/0x170
[daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900
[daa63c38] [c03cb47c] seq_read+0x1dc/0x290
[daa63d68] [c037fc94] vfs_read+0x164/0x510
[daa63ea8] [c03808e4] ksys_read+0x144/0x1d0
[daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38
--- interrupt: c00 at 0x8fa8f4
LR = 0x8fa8cc
The buggy address belongs to the page:
page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f
flags: 0x0()
raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
raw: 00000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
^
d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
After looking into this issue, I find the buggy address belongs
to the task stack region. It seems KASAN has something wrong.
I look into the code of __get_wchan in x86 architecture and
find the same issue has been resolved by the commit
f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
The solution could be applied to powerpc architecture too.
As Andrey Ryabinin said, get_wchan() is racy by design, it may
access volatile stack of running task, thus it may access
redzone in a stack frame and cause KASAN to warn about this.
Use READ_ONCE_NOCHECK() to silence these warnings.
Reported-by: Wanming Hu <huwanming@huaweil.com>
Signed-off-by: He Ying <heying24@huawei.com>
Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220121014418.155675-1-heying24@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/process.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index 3064694afea1..cfb8fd76afb4 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -2108,12 +2108,12 @@ static unsigned long __get_wchan(struct task_struct *p)
return 0;
do {
- sp = *(unsigned long *)sp;
+ sp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) ||
p->state == TASK_RUNNING)
return 0;
if (count > 0) {
- ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE];
+ ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]);
if (!in_sched_functions(ip))
return ip;
}
--
2.35.1
next reply other threads:[~2022-06-14 2:16 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-14 2:07 Sasha Levin [this message]
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 02/29] ASoC: nau8822: Add operation for internal PLL off and on Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 03/29] dma-debug: make things less spammy under memory pressure Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 04/29] ASoC: cs42l52: Fix TLV scales for mixer controls Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 05/29] ASoC: cs35l36: Update digital volume TLV Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 06/29] ASoC: cs53l30: Correct number of volume levels on SX controls Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 07/29] ASoC: cs42l52: Correct TLV for Bypass Volume Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 08/29] ASoC: cs42l56: Correct typo in minimum level for SX volume controls Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 09/29] ASoC: cs42l51: Correct minimum value for SX volume control Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 10/29] ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 11/29] quota: Prevent memory allocation recursion while holding dq_lock Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 12/29] ASoC: wm8962: Fix suspend while playing music Sasha Levin
2022-06-14 2:07 ` [PATCH AUTOSEL 5.10 13/29] ASoC: es8328: Fix event generation for deemphasis control Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 14/29] ASoC: wm_adsp: Fix event generation for wm_adsp_fw_put() Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 15/29] Input: soc_button_array - also add Lenovo Yoga Tablet2 1051F to dmi_use_low_level_irq Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 16/29] scsi: vmw_pvscsi: Expand vcpuHint to 16 bits Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 17/29] scsi: lpfc: Fix port stuck in bypassed state after LIP in PT2PT topology Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 18/29] scsi: lpfc: Allow reduced polling rate for nvme_admin_async_event cmd completion Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 19/29] scsi: ipr: Fix missing/incorrect resource cleanup in error case Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 20/29] scsi: pmcraid: Fix missing " Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 21/29] ALSA: hda/realtek - Add HW8326 support Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 22/29] virtio-mmio: fix missing put_device() when vm_cmdline_parent registration failed Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 23/29] nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 24/29] ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 25/29] net: ethernet: mtk_eth_soc: fix misuse of mem alloc interface netdev[napi]_alloc_frag Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 26/29] mellanox: mlx5: avoid uninitialized variable warning with gcc-12 Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 27/29] netfs: gcc-12: temporarily disable '-Wattribute-warning' for now Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 28/29] MIPS: Loongson-3: fix compile mips cpu_hwmon as module build error Sasha Levin
2022-06-14 2:08 ` [PATCH AUTOSEL 5.10 29/29] gpio: dwapb: Don't print error on -EPROBE_DEFER Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220614020815.1099999-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=benh@kernel.crashing.org \
--cc=chenjingwen6@huawei.com \
--cc=heying24@huawei.com \
--cc=huwanming@huaweil.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).