From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f71.google.com (mail-wm0-f71.google.com [74.125.82.71]) by kanga.kvack.org (Postfix) with ESMTP id 900A16B0273 for ; Mon, 4 Dec 2017 06:58:07 -0500 (EST) Received: by mail-wm0-f71.google.com with SMTP id k126so4157761wmd.5 for ; Mon, 04 Dec 2017 03:58:07 -0800 (PST) Received: from fireflyinternet.com (mail.fireflyinternet.com. [109.228.58.192]) by mx.google.com with ESMTPS id q197si4993490wmb.236.2017.12.04.03.58.05 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Dec 2017 03:58:05 -0800 (PST) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Chris Wilson In-Reply-To: References: <20171129052106.rhgbjhhis53hkgfn@wfg-t540p.sh.intel.com> Message-ID: <151238865557.4852.10258661301122491354@mail.alporthouse.com> Subject: Re: d17a1d97dc ("x86/mm/kasan: don't use vmemmap_populate() to initialize shadow"): BUG: KASAN: use-after-scope in __drm_mm_interval_first Date: Mon, 04 Dec 2017 11:57:35 +0000 Sender: owner-linux-mm@kvack.org List-ID: To: Dmitry Vyukov , Fengguang Wu Cc: Andrey Ryabinin , wfg@linux.intel.com, Pavel Tatashin , Andrew Morton , Linux Memory Management List , LKML , kasan-dev , LKP , David Airlie , Daniel Vetter , joonas.lahtinen@linux.intel.com, christian.koenig@amd.com, dri-devel@lists.freedesktop.org Quoting Dmitry Vyukov (2017-11-29 19:00:59) > On Wed, Nov 29, 2017 at 6:21 AM, Fengguang Wu wr= ote: > > Greetings, > > > > 0day kernel testing robot got the below dmesg and the first bad commit = is > > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git mast= er > > > > commit d17a1d97dc208d664c91cc387ffb752c7f85dc61 > > Author: Andrey Ryabinin > > AuthorDate: Wed Nov 15 17:36:35 2017 -0800 > > Commit: Linus Torvalds > > CommitDate: Wed Nov 15 18:21:05 2017 -0800 > > > > x86/mm/kasan: don't use vmemmap_populate() to initialize shadow > > > > The kasan shadow is currently mapped using vmemmap_populate() sinc= e that > > provides a semi-convenient way to map pages into init_top_pgt. Ho= wever, > > since that no longer zeroes the mapped pages, it is not suitable f= or > > kasan, which requires zeroed shadow memory. > > > > Add kasan_populate_shadow() interface and use it instead of > > vmemmap_populate(). Besides, this allows us to take advantage of > > gigantic pages and use them to populate the shadow, which should s= ave us > > some memory wasted on page tables and reduce TLB pressure. > > > > Link: http://lkml.kernel.org/r/20171103185147.2688-2-pasha.tatashi= n@oracle.com > > Signed-off-by: Andrey Ryabinin > > Signed-off-by: Pavel Tatashin > > Cc: Steven Sistare > > Cc: Daniel Jordan > > Cc: Bob Picco > > Cc: Michal Hocko > > Cc: Alexander Potapenko > > Cc: Ard Biesheuvel > > Cc: Catalin Marinas > > Cc: Christian Borntraeger > > Cc: David S. Miller > > Cc: Dmitry Vyukov > > Cc: Heiko Carstens > > Cc: "H. Peter Anvin" > > Cc: Ingo Molnar > > Cc: Mark Rutland > > Cc: Matthew Wilcox > > Cc: Mel Gorman > > Cc: Michal Hocko > > Cc: Sam Ravnborg > > Cc: Thomas Gleixner > > Cc: Will Deacon > > Signed-off-by: Andrew Morton > > Signed-off-by: Linus Torvalds > > > > a4a3ede213 mm: zero reserved and unavailable struct pages > > d17a1d97dc x86/mm/kasan: don't use vmemmap_populate() to initialize sh= adow > > 43570f0383 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/= kernel/git/herbert/crypto-2.6 > > 5bef2980ad Add linux-next specific files for 20171128 > > +-------------------------------------------------------+------------+-= -----------+------------+---------------+ > > | | a4a3ede213 | = d17a1d97dc | 43570f0383 | next-20171128 | > > +-------------------------------------------------------+------------+-= -----------+------------+---------------+ > > | boot_successes | 30 | = 0 | 0 | 0 | > > | boot_failures | 8 | = 15 | 19 | 2 | > > | WARNING:at_drivers/pci/pci-sysfs.c:#pci_mmap_resource | 8 | = | | | > > | RIP:pci_mmap_resource | 8 | = | | | > > | BUG:KASAN:use-after-scope_in__drm_mm_interval_first | 0 | = 15 | 19 | 2 | > > +-------------------------------------------------------+------------+-= -----------+------------+---------------+ > > > > [ 27.628251] AMD IOMMUv2 functionality not available on this system > > [ 27.631925] drm_mm: Testing DRM range manger (struct drm_mm), with r= andom_seed=3D0x248e657d max_iterations=3D8192 max_prime=3D128 > > [ 27.633191] drm_mm: igt_sanitycheck - ok! > > [ 79.880445] Writes: Total: 2 Max/Min: 0/0 Fail: 0 > > [ 103.749567] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > [ 103.750064] BUG: KASAN: use-after-scope in __drm_mm_interval_first+0= xbb/0x1bf > > [ 103.750064] Read of size 8 at addr ffff880016577c08 by task swapper/= 0/1 > > [ 103.750064] > > [ 103.750064] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.0-04319-g= d17a1d9 #1 > > [ 103.750064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), B= IOS 1.10.2-1 04/01/2014 > > [ 103.750064] Call Trace: > > [ 103.750064] ? dump_stack+0xd1/0x16c > > [ 103.750064] ? _atomic_dec_and_lock+0x10f/0x10f > > [ 103.750064] ? print_address_description+0x93/0x22e > > [ 103.750064] ? __drm_mm_interval_first+0xbb/0x1bf > > [ 103.750064] ? kasan_report+0x219/0x23f > > [ 103.750064] ? __drm_mm_interval_first+0xbb/0x1bf > > [ 103.750064] ? assert_continuous+0x13c/0x22f > > [ 103.750064] ? drm_mm_replace_node+0x210/0x3ed > > [ 103.750064] ? __igt_insert+0x5af/0xb3a > > [ 103.750064] ? igt_bottomup+0x9e6/0x9e6 > > [ 103.750064] ? kvm_clock_read+0x21/0x29 > > [ 103.750064] ? kvm_sched_clock_read+0x5/0xd > > [ 103.750064] ? sched_clock+0x5/0x8 > > [ 103.750064] ? sched_clock_local+0x36/0xe8 > > [ 103.750064] ? sched_clock_cpu+0x123/0x13f > > [ 103.750064] ? rcu_irq_enter_disabled+0x8/0x8 > > [ 103.750064] ? next_prime_number+0x33f/0x368 > > [ 103.750064] ? rcu_note_context_switch+0x267/0x267 > > [ 103.750064] ? igt_replace+0x45/0xa9 > > [ 103.750064] ? test_drm_mm_init+0x112/0x164 > > [ 103.750064] ? drm_kms_helper_init+0x5/0x5 > > [ 103.750064] ? do_one_initcall+0xe7/0x1ef > > [ 103.750064] ? initcall_blacklisted+0x15d/0x15d > > [ 103.750064] ? up_read+0x2c/0x2c > > [ 103.750064] ? kasan_unpoison_shadow+0xf/0x2e > > [ 103.750064] ? kernel_init_freeable+0x2a8/0x33b > > [ 103.750064] ? rest_init+0x24f/0x24f > > [ 103.750064] ? kernel_init+0x7/0xfe > > [ 103.750064] ? rest_init+0x24f/0x24f > > [ 103.750064] ? ret_from_fork+0x24/0x30 > > [ 103.750064] > > [ 103.750064] The buggy address belongs to the page: > > [ 103.750064] page:ffff88001b1e3208 count:0 mapcount:0 mapping: = (null) index:0x0 > > [ 103.750064] flags: 0x401fff800000() > > [ 103.750064] raw: 0000401fff800000 0000000000000000 0000000000000000 = 00000000ffffffff > = > = > Hi, > = > I hacked a quick prototype of improvemet for KASAN for printing frame inf= o: > = > --- a/mm/kasan/report.c > +++ b/mm/kasan/report.c > @@ -289,6 +289,7 @@ static void print_shadow_for_address(const void *addr) > int i; > const void *shadow =3D kasan_mem_to_shadow(addr); > const void *shadow_row; > + unsigned long *ptr; > = > shadow_row =3D (void *)round_down((unsigned long)shadow, > SHADOW_BYTES_PER_ROW) > @@ -320,6 +321,18 @@ static void print_shadow_for_address(const void *add= r) > = > shadow_row +=3D SHADOW_BYTES_PER_ROW; > } > + > + > + ptr =3D (unsigned long *)((unsigned long)addr & ~7); > + for (i =3D 0; i < 1000; i++, ptr--) { > + if (*ptr =3D=3D 0x41b58ab3) { > + pr_err("\n"); > + pr_err("frame offset: %lu\n", (unsigned > long)addr - (unsigned long)ptr); > + pr_err("desc: '%s'\n", (const char*)*(ptr+1)); > + pr_err("func: %pS\n", (void*)*(ptr+2)); > + break; > + } > + } > } > = > = > = > And this gave me: > = > = > [ 26.763495] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > [ 26.764454] BUG: KASAN: use-after-scope in __drm_mm_interval_first+0xc= 0/0x1e2 > [ 26.765297] Read of size 8 at addr ffff88006cb3fbe0 by task swapper/0/1 > [ 26.766081] > [ 26.766278] CPU: 1 PID: 1 Comm: swapper/0 Not tainted > 4.14.0-04319-gd17a1d97dc20-dirty #12 > [ 26.767760] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS Bochs 01/01/2011 > [ 26.769419] Call Trace: > [ 26.769895] dump_stack+0xdb/0x17a > [ 26.770152] ? _atomic_dec_and_lock+0x12f/0x12f > [ 26.770152] ? show_regs_print_info+0x5b/0x5b > [ 26.770152] ? kasan_report+0x4d/0x247 > [ 26.770152] ? __drm_mm_interval_first+0xc0/0x1e2 > [ 26.770152] print_address_description+0x9a/0x232 > [ 26.770152] ? __drm_mm_interval_first+0xc0/0x1e2 > [ 26.770152] kasan_report+0x21e/0x247 > [ 26.770152] __asan_report_load8_noabort+0x14/0x16 > [ 26.770152] __drm_mm_interval_first+0xc0/0x1e2 > [ 26.770152] assert_continuous+0x13e/0x22f > [ 26.770152] __igt_insert+0x665/0xc87 > [ 26.770152] ? igt_bottomup+0xaa0/0xaa0 > [ 26.770152] ? sched_clock_local+0x3c/0xfb > [ 26.770152] ? find_held_lock+0x33/0x103 > [ 26.770152] ? next_prime_number+0x318/0x362 > [ 26.770152] ? rcu_irq_enter_disabled+0xd/0xd > [ 26.770152] ? next_prime_number+0x337/0x362 > [ 26.770152] igt_replace+0x4b/0xb3 > [ 26.770152] test_drm_mm_init+0x118/0x172 > [ 26.770152] ? drm_kms_helper_init+0xb/0xb > [ 26.770152] do_one_initcall+0x10f/0x21f > [ 26.770152] ? initcall_blacklisted+0x185/0x185 > [ 26.770152] ? down_write_nested+0xa1/0x164 > [ 26.770152] ? kasan_poison_shadow+0x2f/0x31 > [ 26.770152] ? kasan_unpoison_shadow+0x14/0x35 > [ 26.770152] kernel_init_freeable+0x2ae/0x339 > [ 26.770152] ? rest_init+0x250/0x250 > [ 26.770152] kernel_init+0xc/0x105 > [ 26.770152] ? rest_init+0x250/0x250 > [ 26.770152] ret_from_fork+0x24/0x30 > [ 26.770152] > [ 26.770152] The buggy address belongs to the page: > [ 26.770152] page:ffff88007f39c5c8 count:0 mapcount:0 mapping: > (null) index:0x0 > [ 26.770152] flags: 0x1a01fff800000() > [ 26.770152] raw: 0001a01fff800000 0000000000000000 0000000000000000 > 00000000ffffffff > [ 26.770152] raw: ffff88007f39c5e8 ffff88007f39c5e8 0000000000000000 > [ 26.770152] page dumped because: kasan: bad access detected > [ 26.790299] > [ 26.790299] Memory state around the buggy address: > [ 26.790299] ffff88006cb3fa80: 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 f1 > [ 26.790299] ffff88006cb3fb00: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 > 00 f2 f2 f2 > [ 26.790299] >ffff88006cb3fb80: f2 f2 f2 f8 f8 f2 f2 f2 f2 f2 f2 f8 > f8 f8 f8 f8 > [ 26.790299] ^ > [ 26.790299] ffff88006cb3fc00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 > f8 f8 f8 f2 > [ 26.790299] ffff88006cb3fc80: f2 f2 f2 00 00 00 00 00 00 00 00 00 > 00 00 00 00 > [ 26.790299] > [ 26.790299] frame offset: 232 > [ 26.790299] desc: '5 32 8 3 __u 96 16 4 prng 160 16 7 state__ 224 > 160 3 tmp 416 224 2 mm ' > [ 26.790299] func: __igt_insert+0x0/0xc87 > [ 26.790299] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > = > = > That desc string is: number of local objects, then for each object: > offset, size, name length, name. > = > So that's variable tmp in __igt_insert. > = > Looks very much like a real use-after-scope. The fix should already be in mmotm: commit 3e6e51217dd14dcda10d4bc9a38b1440e2d42c14 Author: Chris Wilson Date: Thu Nov 9 21:24:34 2017 +0000 lib/rbtree,drm/mm: Add rbtree_replace_node_cached() = Add a variant of rbtree_replace_node() that maintains the leftmost cache of struct rbtree_root_cached when replacing nodes within the rbtree. -Chris -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org