Bug 2273668

Summary: KASAN detects user-memory-access on P9 VM in memset32
Product: [Fedora] Fedora Reporter: Jakub Čajka <jcajka>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: acaringi, adscvr, airlied, alciregi, bskeggs, dan, hdegoede, hpa, jarod, josef, kernel-maint, linville, masami256, mchehab, ptalbert, steved
Target Milestone: ---   
Target Release: ---   
Hardware: ppc64le   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1071880    
Attachments:
Description Flags
dmesg of fedora debug kernel none

Description Jakub Čajka 2024-04-05 14:09:58 UTC 
1. Please describe the problem:
With debugging enabled on ppc64le, KVM guest's kernel KASAN detects user-memory-access in memset32

2. What is the Version-Release number of the kernel:
6.9.0-0.rc0.20240321git23956900041d.12.fc41.ppc64le+debug

3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :
I haven't bisected it yet, working on it along with upstream report.

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:
Yes, always reproducible.
Enable debug kernel build via small patch.
"
diff --git a/kernel.spec b/kernel.spec
index ed18cc2bb..d9be2adcb 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -462,9 +462,6 @@ Summary: The Linux kernel
 
 %if 0%{?fedora}
 # don't do debug builds on anything but aarch64 and x86_64
-%ifnarch aarch64 x86_64
-%define with_debug 0
-%endif
 %endif
 
 %define all_configs %{name}-%{specrpmversion}-*.config
"
Or enable eln repository.

Install the debug kernel in a KVM VM on Power9 host.

Reboot to the debug kernel on the VM.

KASAN detects the issue.

5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:
With debug enabled yes.

6. Are you running any modules that not shipped with directly Fedora's kernel?:
No

7. Please attach the kernel logs. You can get the complete kernel log
   for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the
   issue occurred on a previous boot, use the journalctl ``-b`` flag.
With debug enabled kernel:
Mar 27 08:43:12 localhost kernel: ==================================================================
Mar 27 08:43:12 localhost kernel: BUG: KASAN: user-memory-access in memset32+0x70/0xc0
Mar 27 08:43:12 localhost kernel: Write of size 4 at addr 0000684fba1e0a40 by task kworker/4:1/78
Mar 27 08:43:12 localhost kernel: 
Mar 27 08:43:12 localhost kernel: CPU: 4 PID: 78 Comm: kworker/4:1 Not tainted 6.9.0-0.rc0.20240321git23956900041d.12.fc41.ppc64le+debug #1
Mar 27 08:43:12 localhost kernel: Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
Mar 27 08:43:12 localhost kernel: Workqueue: events bpf_prog_free_deferred
Mar 27 08:43:12 localhost kernel: Call Trace:
Mar 27 08:43:12 localhost kernel: [c0000000103b7800] [c000000001dbada8] dump_stack_lvl+0x100/0x184 (unreliable)
Mar 27 08:43:12 localhost kernel: [c0000000103b7830] [c000000000839250] print_report+0x34c/0xc78
Mar 27 08:43:12 localhost kernel: [c0000000103b7930] [c000000000839d2c] kasan_report+0xf4/0x1f4
Mar 27 08:43:12 localhost kernel: [c0000000103b7a00] [c00000000083bf2c] __asan_store4+0xbc/0xd0
Mar 27 08:43:12 localhost kernel: [c0000000103b7a20] [c000000001df4c9c] memset32+0x70/0xc0
Mar 27 08:43:12 localhost kernel: [c0000000103b7a70] [c0000000000d6948] __patch_instructions.isra.0+0x4c/0x100
Mar 27 08:43:12 localhost kernel: [c0000000103b7aa0] [c0000000000d6b6c] patch_instructions+0x170/0x674
Mar 27 08:43:12 localhost kernel: [c0000000103b7b80] [c000000000162e80] bpf_arch_text_invalidate+0x84/0xec
Mar 27 08:43:12 localhost kernel: [c0000000103b7bd0] [c000000000560a2c] bpf_prog_pack_free+0x138/0x3ac
Mar 27 08:43:12 localhost kernel: [c0000000103b7c70] [c000000000561038] bpf_jit_binary_pack_free+0x50/0x9c
Mar 27 08:43:12 localhost kernel: [c0000000103b7cb0] [c000000000162fc8] bpf_jit_free+0xe0/0x198
Mar 27 08:43:12 localhost kernel: [c0000000103b7cf0] [c00000000056008c] bpf_prog_free_deferred+0x2f4/0x354
Mar 27 08:43:12 localhost kernel: [c0000000103b7d50] [c000000000203b44] process_one_work+0x584/0xde4
Mar 27 08:43:12 localhost kernel: [c0000000103b7eb0] [c0000000002051d0] worker_thread+0x384/0x6e4
Mar 27 08:43:12 localhost kernel: [c0000000103b7f80] [c00000000021c198] kthread+0x21c/0x228
Mar 27 08:43:12 localhost kernel: [c0000000103b7fe0] [c00000000000dee8] start_kernel_thread+0x14/0x18
Mar 27 08:43:12 localhost kernel: ==================================================================
Mar 27 08:43:12 localhost kernel: Disabling lock debugging due to kernel taint

With eln debug kernel:

Mar 27 15:37:02 localhost kernel: ==================================================================
Mar 27 15:37:02 localhost kernel: BUG: KASAN: user-memory-access in memset32+0x70/0xc0
Mar 27 15:37:02 localhost kernel: Write of size 4 at addr 00003c9f83980a40 by task kworker/4:1/73
Mar 27 15:37:02 localhost kernel: 
Mar 27 15:37:02 localhost kernel: CPU: 4 PID: 73 Comm: kworker/4:1 Not tainted 6.9.0-0.rc1.20240326git928a87efa423.17.eln136.ppc64le+debug #1
Mar 27 15:37:02 localhost kernel: Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
Mar 27 15:37:02 localhost kernel: Workqueue: events bpf_prog_free_deferred
Mar 27 15:37:02 localhost kernel: Call Trace:
Mar 27 15:37:02 localhost kernel: [c0000000101f77d0] [c000000001903084] dump_stack_lvl+0xc8/0x130 (unreliable)
Mar 27 15:37:02 localhost kernel: [c0000000101f7810] [c000000000858090] print_report+0x23c/0x27c
Mar 27 15:37:02 localhost kernel: [c0000000101f78f0] [c0000000008574c0] kasan_report+0xe0/0x2c0
Mar 27 15:37:02 localhost kernel: [c0000000101f7a00] [c000000000859fac] __asan_store4+0xbc/0xd0
Mar 27 15:37:02 localhost kernel: [c0000000101f7a20] [c00000000193e5e0] memset32+0x70/0xc0
Mar 27 15:37:02 localhost kernel: [c0000000101f7a70] [c0000000000d4b9c] __patch_instructions.isra.0+0x4c/0x100
Mar 27 15:37:02 localhost kernel: [c0000000101f7aa0] [c0000000000d4df8] patch_instructions+0x1a8/0x610
Mar 27 15:37:02 localhost kernel: [c0000000101f7b80] [c000000000164984] bpf_arch_text_invalidate+0x84/0xf0
Mar 27 15:37:02 localhost kernel: [c0000000101f7bd0] [c000000000577a3c] bpf_prog_pack_free+0x12c/0x3a0
Mar 27 15:37:02 localhost kernel: [c0000000101f7c70] [c000000000578050] bpf_jit_binary_pack_free+0x50/0xa0
Mar 27 15:37:02 localhost kernel: [c0000000101f7cb0] [c000000000164ad0] bpf_jit_free+0xe0/0x1a0
Mar 27 15:37:02 localhost kernel: [c0000000101f7cf0] [c00000000057708c] bpf_prog_free_deferred+0x2fc/0x360
Mar 27 15:37:02 localhost kernel: [c0000000101f7d50] [c0000000002060b0] process_one_work+0x580/0xe40
Mar 27 15:37:02 localhost kernel: [c0000000101f7eb0] [c0000000002077b0] worker_thread+0x380/0x6e0
Mar 27 15:37:02 localhost kernel: [c0000000101f7f80] [c00000000021dd7c] kthread+0x21c/0x230
Mar 27 15:37:02 localhost kernel: [c0000000101f7fe0] [c00000000000dee8] start_kernel_thread+0x14/0x18
Mar 27 15:37:02 localhost kernel: ==================================================================
Mar 27 15:37:02 localhost kernel: Disabling lock debugging due to kernel taint


Please keep this BZ open for our tracking of this issue. I'm aware that debug is not being currently supported configuration in Fedora. Feel free to assign this to me. I do plan to bring this issue up with upstream.

Reproducible: Always
Comment 1 Jakub Čajka 2024-04-05 14:12:28 UTC 
Created attachment 2025427 [details]
dmesg of fedora debug kernel