Bug 1975026
| Summary: | [RHEL-8.5] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | PaulB <pbunyan> | |
| Component: | kernel | Assignee: | Tomas Henzl <thenzl> | |
| kernel sub component: | Storage Drivers | QA Contact: | ChanghuiZhong <czhong> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | medium | |||
| Priority: | high | CC: | bgoncalv, cwei, darcari, jmagrini, pbunyan, prarit, thenzl | |
| Version: | 8.5 | Keywords: | Reopened, Triaged, ZStream | |
| Target Milestone: | beta | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | kernel-4.18.0-489.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2306519 2306520 2306521 2306522 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-14 15:37:53 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2306519, 2306520, 2306521, 2306522 | |||
|
Description
PaulB
2021-06-23 00:55:55 UTC
All, This issue is reproducible with RHEL-8.7 on target system: distro :RHEL-8.7.0 kernel: 4.18.0-425.3.1.el8 debug host: hpe-dl385gen10-02.hpe2.lab.eng.bos.redhat.com bios: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/08/2021 https://beaker.engineering.redhat.com/jobs/7269721 https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2022/11/72697/7269721/12991857/console.log ---%<-snip->%--- [ 65.071375] input: PC Speaker as /devices/platform/pcspkr/input/input2 [ 65.088436] ================================================================== [ 65.095912] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses] [ 65.104249] Read of size 1 at addr ffff88a1227ec451 by task systemd-udevd/3418 [ 65.111527] [ 65.111551] CPU: 124 PID: 3418 Comm: systemd-udevd Not tainted 4.18.0-425.3.1.el8.x86_64+debug #1 [ 65.111561] Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/08/2021 [ 65.130644] Call Trace: [ 65.133118] dump_stack+0x5c/0x80 [ 65.136485] print_address_description.constprop.6+0x1a/0x150 [ 65.140516] ptdma 0000:e1:00.2: enabling device (0140 -> 0142) [ 65.142286] ? ses_enclosure_data_process+0x91c/0xe80 [ses] [ 65.142298] ? ses_enclosure_data_process+0x91c/0xe80 [ses] [ 65.142313] kasan_report.cold.11+0x7f/0x118 [ 65.163761] ? ses_enclosure_data_process+0x91c/0xe80 [ses] [ 65.169395] ses_enclosure_data_process+0x91c/0xe80 [ses] [ 65.174858] ? kfree+0x1/0x2b0 [ 65.177953] ? enclosure_register+0x288/0x398 [enclosure] [ 65.183412] ses_intf_add+0xa5f/0xf75 [ses] [ 65.187645] ? class_dev_iter_next+0x6c/0xd0 [ 65.191977] class_interface_register+0x298/0x400 [ 65.196736] ? class_dev_iter_next+0xd0/0xd0 [ 65.201057] ? rcu_read_lock_bh_held+0xd0/0xd0 [ 65.205549] ? 0xffffffffc2720000 [ 65.208903] ses_init+0x12/0x1000 [ses] [ 65.212779] do_one_initcall+0x103/0x5f0 [ 65.216748] ? perf_trace_initcall_level+0x420/0x420 [ 65.216768] ? do_init_module+0x4e/0x700 [ 65.225712] ? __kasan_kmalloc+0x7d/0xa0 [ 65.229677] ? kmem_cache_alloc_trace+0x188/0x2b0 [ 65.229730] ptdma 0000:c2:00.2: enabling device (0140 -> 0142) [ 65.234424] ? kasan_unpoison+0x21/0x50 [ 65.234451] do_init_module+0x1d1/0x700 [ 65.248065] load_module+0x3867/0x5260 [ 65.251352] ptdma 0000:c1:00.2: enabling device (0140 -> 0142) [ 65.251938] ? layout_and_allocate+0x3990/0x3990 [ 65.262434] ? sched_clock+0x5/0x10 [ 65.265999] ? sched_clock_cpu+0x18/0x1e0 [ 65.266015] ? find_held_lock+0x3a/0x1d0 [ 65.272790] ptdma 0000:a2:00.2: enabling device (0140 -> 0142) [ 65.274033] ? hlock_class+0x4e/0x120 [ 65.274064] ? alloc_vm_area+0x120/0x120 [ 65.287558] ? selinux_kernel_module_from_file+0x2a5/0x300 [ 65.293140] ? __do_sys_init_module+0x1db/0x260 [ 65.295806] ptdma 0000:a1:00.2: enabling device (0140 -> 0142) [ 65.297708] __do_sys_init_module+0x1db/0x260 [ 65.297725] ? load_module+0x5260/0x5260 [ 65.297768] ? lockdep_hardirqs_on_prepare+0x298/0x3f0 [ 65.317130] ? do_syscall_64+0x22/0x450 [ 65.317156] do_syscall_64+0xa5/0x450 [ 65.324525] ptdma 0000:82:00.2: enabling device (0140 -> 0142) [ 65.324727] entry_SYSCALL_64_after_hwframe+0x66/0xdb [ 65.335684] RIP: 0033:0x7fcdf1b0c23e [ 65.339292] Code: 48 8b 0d 4d 5c 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1a 5c 38 00 f7 d8 64 89 01 48 [ 65.339301] RSP: 002b:00007ffe83a17858 EFLAGS: 00000246 ORIG_RAX: 00000000000000af [ 65.339312] RAX: ffffffffffffffda RBX: 000055b688f912d0 RCX: 00007fcdf1b0c23e [ 65.339320] RDX: 00007fcdf273e86d RSI: 000000000000c6f0 RDI: 000055b6890b2c40 [ 65.361186] ptdma 0000:81:00.2: enabling device (0140 -> 0142) [ 65.365863] RBP: 00007fcdf273e86d R08: 000055b688f2801a R09: 0000000000000003 [ 65.365871] R10: 000055b688f28010 R11: 0000000000000246 R12: 000055b6890b2c40 [ 65.365877] R13: 000055b688f91010 R14: 0000000000020000 R15: 0000000000000000 [ 65.365927] [ 65.380345] Allocated by task 3418: [ 65.380353] kasan_save_stack+0x19/0x40 [ 65.380360] __kasan_kmalloc+0x7d/0xa0 [ 65.380366] __kmalloc+0x153/0x260 [ 65.423875] ses_intf_add+0x7a6/0xf75 [ses] [ 65.428097] class_interface_register+0x298/0x400 [ 65.432841] ses_init+0x12/0x1000 [ses] [ 65.436713] do_one_initcall+0x103/0x5f0 [ 65.440670] do_init_module+0x1d1/0x700 [ 65.444536] load_module+0x3867/0x5260 [ 65.448317] __do_sys_init_module+0x1db/0x260 [ 65.452708] do_syscall_64+0xa5/0x450 [ 65.456401] entry_SYSCALL_64_after_hwframe+0x66/0xdb ---%<-snip->%--- Tomas - any thoughts? Best, pbunyan After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. (In reply to PaulB from comment #3) > > > Tomas - any thoughts? This is a real bug which is around for a long time but it shows only when in memory debugging is used. I plan to fix it. > > > Best, > pbunyan *** Bug 2096182 has been marked as a duplicate of this bug. *** reproduce this issue on 4.18.0-488.el8.x86_64+debug, and verified this issue has been fixed on 4.18.0-478.el8.4420_810232341.x86_64+debug. [ 60.197879] ================================================================== [ 60.205369] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses] [ 60.213713] Read of size 1 at addr ffff88b8b63e8451 by task systemd-udevd/3445 [ 60.220993] [ 60.222506] CPU: 225 PID: 3445 Comm: systemd-udevd Not tainted 4.18.0-488.el8.x86_64+debug #1 [ 60.231098] Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/08/2021 [ 60.239684] Call Trace: [ 60.242159] dump_stack+0x5c/0x80 [ 60.245517] print_address_description.constprop.6+0x1a/0x150 [ 60.251319] ? ses_enclosure_data_process+0x91c/0xe80 [ses] [ 60.256942] ? ses_enclosure_data_process+0x91c/0xe80 [ses] [ 60.262570] kasan_report.cold.11+0x7f/0x118 [ 60.266893] ? ses_enclosure_data_process+0x91c/0xe80 [ses] [ 60.272527] ses_enclosure_data_process+0x91c/0xe80 [ses] [ 60.277995] ? __slab_free+0x2c1/0x2d0 [ 60.281796] ? enclosure_register+0x288/0x398 [enclosure] [ 60.287258] ses_intf_add+0xa5f/0xf75 [ses] [ 60.291498] ? class_dev_iter_next+0x6c/0xd0 [ 60.295829] class_interface_register+0x298/0x400 [ 60.300589] ? class_dev_iter_next+0xd0/0xd0 [ 60.304978] ? rcu_read_lock_bh_held+0xd0/0xd0 [ 60.309472] ? 0xffffffffc2369000 [ 60.312829] ses_init+0x12/0x1000 [ses] [ 60.316705] do_one_initcall+0x103/0x5f0 [ 60.320678] ? perf_trace_initcall_level+0x420/0x420 [ 60.325703] ? __kasan_kmalloc+0x82/0xa0 [ 60.329669] ? kmem_cache_alloc_trace+0x188/0x2b0 [ 60.334418] ? kasan_unpoison+0x21/0x50 [ 60.338311] do_init_module+0x1d1/0x700 [ 60.342211] load_module+0x37f6/0x5100 [ 60.346113] ? layout_and_allocate+0x3990/0x3990 [ 60.350784] ? sched_clock+0x5/0x10 [ 60.354307] ? sched_clock_cpu+0x18/0x1e0 [ 60.358358] ? find_held_lock+0x3a/0x1d0 [ 60.362332] ? hlock_class+0x4e/0x120 [ 60.366056] ? alloc_vm_area+0x120/0x120 [ 60.370017] ? selinux_kernel_module_from_file+0x2a5/0x300 [ 60.375608] ? __do_sys_init_module+0x1db/0x260 [ 60.380177] __do_sys_init_module+0x1db/0x260 [ 60.384581] ? load_module+0x5100/0x5100 [ 60.388585] ? lockdep_hardirqs_on_prepare+0x298/0x3f0 [ 60.393769] ? do_syscall_64+0x22/0x450 [ 60.397657] do_syscall_64+0xa5/0x450 [ 60.401360] entry_SYSCALL_64_after_hwframe+0x66/0xdb [ 60.406458] RIP: 0033:0x7f20c5ea823e [ 60.410069] Code: 48 8b 0d 4d 4c 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1a 4c 38 00 f7 d8 64 89 01 48 [ 60.428964] RSP: 002b:00007ffdab0edde8 EFLAGS: 00000246 ORIG_RAX: 00000000000000af [ 60.436597] RAX: ffffffffffffffda RBX: 000055ee1d8b3aa0 RCX: 00007f20c5ea823e [ 60.443788] RDX: 00007f20c6ad986d RSI: 000000000000c6f0 RDI: 000055ee1d7903f0 [ 60.450978] RBP: 00007f20c6ad986d R08: 000055ee1d871cf0 R09: 000055ee1d5c101a [ 60.458167] R10: 0000000000000005 R11: 0000000000000246 R12: 000055ee1d7903f0 [ 60.465354] R13: 000055ee1d813490 R14: 0000000000020000 R15: 0000000000000000 [ 60.472593] [ 60.474103] Allocated by task 3445: [ 60.477623] kasan_save_stack+0x1c/0x50 [ 60.481496] __kasan_kmalloc+0x82/0xa0 [ 60.485278] __kmalloc+0x157/0x270 [ 60.488715] ses_intf_add+0x7a6/0xf75 [ses] [ 60.492938] class_interface_register+0x298/0x400 [ 60.497683] ses_init+0x12/0x1000 [ses] [ 60.501554] do_one_initcall+0x103/0x5f0 [ 60.505512] do_init_module+0x1d1/0x700 [ 60.509380] load_module+0x37f6/0x5100 [ 60.513162] __do_sys_init_module+0x1db/0x260 [ 60.517556] do_syscall_64+0xa5/0x450 [ 60.521251] entry_SYSCALL_64_after_hwframe+0x66/0xdb [ 60.526347] [ 60.527858] The buggy address belongs to the object at ffff88b8b63e8000 [ 60.527858] which belongs to the cache kmalloc-2k of size 2048 [ 60.540465] The buggy address is located 1105 bytes inside of [ 60.540465] 2048-byte region [ffff88b8b63e8000, ffff88b8b63e8800) [ 60.552463] The buggy address belongs to the page: [ 60.557293] page:ffffea00e2d8fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00e2d8fa00 order:3 compound_mapcount:0 compound_pincount:0 [ 60.571738] flags: 0x57ffffc0008100(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [ 60.579200] raw: 0057ffffc0008100 dead000000000100 dead000000000200 ffff888100012100 [ 60.587005] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 60.594807] page dumped because: kasan: bad access detected [ 60.600421] [ 60.601928] Memory state around the buggy address: [ 60.606756] ffff88b8b63e8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.614034] ffff88b8b63e8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.621307] >ffff88b8b63e8400: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 60.628584] ^ [ 60.634462] ffff88b8b63e8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.641735] ffff88b8b63e8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.649012] ================================================================== verified this issue has been fixed on 4.18.0-489.el8.x86_64+debug Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:7077 |