RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1975026 - [RHEL-8.5] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses]
Summary: [RHEL-8.5] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: kernel
Version: 8.5
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: beta
: ---
Assignee: Tomas Henzl
QA Contact: ChanghuiZhong
URL:
Whiteboard:
: 2096182 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-23 00:55 UTC by PaulB
Modified: 2023-11-14 17:13 UTC (History)
6 users (show)

Fixed In Version: kernel-4.18.0-489.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-14 15:37:53 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat/rhel/src/kernel rhel-8 merge_requests 4420 0 None None None 2023-03-23 15:18:35 UTC
Red Hat Product Errata RHSA-2023:7077 0 None None None 2023-11-14 15:38:55 UTC

Description PaulB 2021-06-23 00:55:55 UTC 
Description of problem:
The following issue is seen in dmesg:
 BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses]

Version-Release number of selected component (if applicable):
 distro: RHEL-8.5.0-20210621.n.0 
 kernel-debug: 4.18.0-314.el8 debug


How reproducible:


Steps to Reproduce:
1. Install target system listed in comment #1 with RHEL-8.5.0-20210621.n.0
2. Install and boot  kernel-debug: 4.18.0-314.el8 
3.

Actual results:
https://beaker.engineering.redhat.com/recipes/10176443#task127726617
https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2021/06/54924/5492400/10176443/127726617/600641870/resultoutputfile.log
---%<-snip->%---
[   59.126790] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses]
---%<-snip->%---

https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2021/06/54924/5492400/10176443/console.log
---%<-snip->%---
] Started udev Coldplug all Devices.  
[   59.070287] ipmi_si dmi-ipmi-si.0: Removing SMBIOS-specified kcs state machine in favor of ACPI 
[   59.070830] RAPL PMU: API unit is 2^-32 Joules, 1 fixed counters, 163840 ms ovfl timer 
[   59.079164] ipmi_si: Adding ACPI-specified kcs state machine 
[   59.087091] RAPL PMU: hw unit of domain package 2^-16 Joules 
[   59.102515] ipmi_si: Trying ACPI-specified kcs state machine at i/o address 0xca2, slave address 0x20, irq 0 
[   59.119310] ================================================================== 
[   59.126790] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   59.135137] Read of size 1 at addr ffff888205991451 by task systemd-udevd/3100 
[   59.142412]  
[   59.143925] CPU: 53 PID: 3100 Comm: systemd-udevd Not tainted 4.18.0-314.el8.x86_64+debug #1 
[   59.152421] Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/17/2020 
[   59.161011] Call Trace: 
[   59.163667]  dump_stack+0x8e/0xd0 
[   59.167091]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   59.172715]  print_address_description.constprop.5+0x1e/0x230 
[   59.178508]  ? kmsg_dump_rewind_nolock+0xd9/0xd9 
[   59.183162]  ? do_raw_spin_unlock+0x54/0x230 
[   59.187488]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   59.193105]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   59.196123] ipmi_si IPI0001:00: The BMC does not support clearing the recv irq bit, compensating, but the BMC needs to be fixed. 
[   59.198725]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   59.215994]  __kasan_report.cold.7+0x37/0x86 
[   59.220351]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   59.225975]  kasan_report+0x37/0x50 
[   59.229507]  ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   59.234981]  ses_intf_add+0xa5b/0xf71 [ses] 
[   59.239214]  ? class_dev_iter_next+0x6c/0xc0 
[   59.243534]  class_interface_register+0x298/0x400 
[   59.248286]  ? class_dev_iter_next+0xc0/0xc0 
[   59.252611]  ? rcu_read_lock_bh_held+0xc0/0xc0 
[   59.257098]  ? 0xffffffffc1978000 
[   59.260451]  ses_init+0x12/0x1000 [ses] 
[   59.264322]  do_one_initcall+0xe9/0x57d 
[   59.268199]  ? perf_trace_initcall_level+0x460/0x460 
[   59.269095] ipmi_si IPI0001:00: Found new BMC (man_id: 0x00b85c, prod_id: 0x2000, dev_id: 0x13) 
[   59.273209]  ? kasan_unpoison_shadow+0x30/0x40 
[   59.273219]  ? __kasan_kmalloc.constprop.9+0xc1/0xd0 
[   59.273238]  ? do_init_module+0x4e/0x6f0 
[   59.295516]  ? kmem_cache_alloc_trace+0x122/0x210 
[   59.300261]  ? kasan_unpoison_shadow+0x30/0x40 
[   59.304757]  do_init_module+0x1d1/0x6f0 
[   59.308644]  load_module+0x36bd/0x4f50 
[   59.312497]  ? layout_and_allocate+0x3950/0x3950 
[   59.317164]  ? sched_clock+0x5/0x10 
[   59.320683]  ? sched_clock_cpu+0x18/0x1e0 
[   59.324733]  ? find_held_lock+0x3a/0x1c0 
[   59.328761]  ? __do_sys_init_module+0x1db/0x260 
[   59.333327]  __do_sys_init_module+0x1db/0x260 
[   59.337726]  ? load_module+0x4f50/0x4f50 
[   59.341714]  ? lockdep_hardirqs_on_prepare+0x294/0x3e0 
[   59.346892]  ? do_syscall_64+0x22/0x430 
[   59.350774]  do_syscall_64+0xa5/0x430 
[   59.354478]  entry_SYSCALL_64_after_hwframe+0x6a/0xdf 
[   59.356698] ipmi_si IPI0001:00: IPMI kcs interface initialized 
[   59.359570] RIP: 0033:0x7f2b74c2180e 
[   59.359579] Code: 48 8b 0d 7d 16 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4a 16 2c 00 f7 d8 64 89 01 48 
---%<-snip->%---


Expected results:
no "BUG: KASAN:" are expected.


Additional info:
Comment 3 PaulB 2022-11-28 13:54:35 UTC 
All,
This issue is reproducible with RHEL-8.7 on target system:
 distro :RHEL-8.7.0 
 kernel: 4.18.0-425.3.1.el8 debug
 host: hpe-dl385gen10-02.hpe2.lab.eng.bos.redhat.com
 bios: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/08/2021

https://beaker.engineering.redhat.com/jobs/7269721
https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2022/11/72697/7269721/12991857/console.log
---%<-snip->%---
[   65.071375] input: PC Speaker as /devices/platform/pcspkr/input/input2 
[   65.088436] ================================================================== 
[   65.095912] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   65.104249] Read of size 1 at addr ffff88a1227ec451 by task systemd-udevd/3418 
[   65.111527]  
[   65.111551] CPU: 124 PID: 3418 Comm: systemd-udevd Not tainted 4.18.0-425.3.1.el8.x86_64+debug #1 
[   65.111561] Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/08/2021 
[   65.130644] Call Trace: 
[   65.133118]  dump_stack+0x5c/0x80 
[   65.136485]  print_address_description.constprop.6+0x1a/0x150 
[   65.140516] ptdma 0000:e1:00.2: enabling device (0140 -> 0142) 
[   65.142286]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   65.142298]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   65.142313]  kasan_report.cold.11+0x7f/0x118 
[   65.163761]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   65.169395]  ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   65.174858]  ? kfree+0x1/0x2b0 
[   65.177953]  ? enclosure_register+0x288/0x398 [enclosure] 
[   65.183412]  ses_intf_add+0xa5f/0xf75 [ses] 
[   65.187645]  ? class_dev_iter_next+0x6c/0xd0 
[   65.191977]  class_interface_register+0x298/0x400 
[   65.196736]  ? class_dev_iter_next+0xd0/0xd0 
[   65.201057]  ? rcu_read_lock_bh_held+0xd0/0xd0 
[   65.205549]  ? 0xffffffffc2720000 
[   65.208903]  ses_init+0x12/0x1000 [ses] 
[   65.212779]  do_one_initcall+0x103/0x5f0 
[   65.216748]  ? perf_trace_initcall_level+0x420/0x420 
[   65.216768]  ? do_init_module+0x4e/0x700 
[   65.225712]  ? __kasan_kmalloc+0x7d/0xa0 
[   65.229677]  ? kmem_cache_alloc_trace+0x188/0x2b0 
[   65.229730] ptdma 0000:c2:00.2: enabling device (0140 -> 0142) 
[   65.234424]  ? kasan_unpoison+0x21/0x50 
[   65.234451]  do_init_module+0x1d1/0x700 
[   65.248065]  load_module+0x3867/0x5260 
[   65.251352] ptdma 0000:c1:00.2: enabling device (0140 -> 0142) 
[   65.251938]  ? layout_and_allocate+0x3990/0x3990 
[   65.262434]  ? sched_clock+0x5/0x10 
[   65.265999]  ? sched_clock_cpu+0x18/0x1e0 
[   65.266015]  ? find_held_lock+0x3a/0x1d0 
[   65.272790] ptdma 0000:a2:00.2: enabling device (0140 -> 0142) 
[   65.274033]  ? hlock_class+0x4e/0x120 
[   65.274064]  ? alloc_vm_area+0x120/0x120 
[   65.287558]  ? selinux_kernel_module_from_file+0x2a5/0x300 
[   65.293140]  ? __do_sys_init_module+0x1db/0x260 
[   65.295806] ptdma 0000:a1:00.2: enabling device (0140 -> 0142) 
[   65.297708]  __do_sys_init_module+0x1db/0x260 
[   65.297725]  ? load_module+0x5260/0x5260 
[   65.297768]  ? lockdep_hardirqs_on_prepare+0x298/0x3f0 
[   65.317130]  ? do_syscall_64+0x22/0x450 
[   65.317156]  do_syscall_64+0xa5/0x450 
[   65.324525] ptdma 0000:82:00.2: enabling device (0140 -> 0142) 
[   65.324727]  entry_SYSCALL_64_after_hwframe+0x66/0xdb 
[   65.335684] RIP: 0033:0x7fcdf1b0c23e 
[   65.339292] Code: 48 8b 0d 4d 5c 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1a 5c 38 00 f7 d8 64 89 01 48 
[   65.339301] RSP: 002b:00007ffe83a17858 EFLAGS: 00000246 ORIG_RAX: 00000000000000af 
[   65.339312] RAX: ffffffffffffffda RBX: 000055b688f912d0 RCX: 00007fcdf1b0c23e 
[   65.339320] RDX: 00007fcdf273e86d RSI: 000000000000c6f0 RDI: 000055b6890b2c40 
[   65.361186] ptdma 0000:81:00.2: enabling device (0140 -> 0142) 
[   65.365863] RBP: 00007fcdf273e86d R08: 000055b688f2801a R09: 0000000000000003 
[   65.365871] R10: 000055b688f28010 R11: 0000000000000246 R12: 000055b6890b2c40 
[   65.365877] R13: 000055b688f91010 R14: 0000000000020000 R15: 0000000000000000 
[   65.365927]  
[   65.380345] Allocated by task 3418: 
[   65.380353]  kasan_save_stack+0x19/0x40 
[   65.380360]  __kasan_kmalloc+0x7d/0xa0 
[   65.380366]  __kmalloc+0x153/0x260 
[   65.423875]  ses_intf_add+0x7a6/0xf75 [ses] 
[   65.428097]  class_interface_register+0x298/0x400 
[   65.432841]  ses_init+0x12/0x1000 [ses] 
[   65.436713]  do_one_initcall+0x103/0x5f0 
[   65.440670]  do_init_module+0x1d1/0x700 
[   65.444536]  load_module+0x3867/0x5260 
[   65.448317]  __do_sys_init_module+0x1db/0x260 
[   65.452708]  do_syscall_64+0xa5/0x450 
[   65.456401]  entry_SYSCALL_64_after_hwframe+0x66/0xdb 
---%<-snip->%---


Tomas - any thoughts?


Best,
pbunyan
Comment 4 RHEL Program Management 2022-12-23 07:27:51 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 5 Tomas Henzl 2023-01-02 15:14:22 UTC 
(In reply to PaulB from comment #3)
> 
> 
> Tomas - any thoughts?

This is a real bug which is around for a long time but it shows only when in memory debugging is used.
I plan to fix it.

> 
> 
> Best,
> pbunyan
Comment 8 Tomas Henzl 2023-03-02 14:06:43 UTC 
*** Bug 2096182 has been marked as a duplicate of this bug. ***
Comment 10 ChanghuiZhong 2023-04-24 15:28:21 UTC 
reproduce this issue on 4.18.0-488.el8.x86_64+debug, and verified this issue has been fixed on 4.18.0-478.el8.4420_810232341.x86_64+debug.

[   60.197879] ================================================================== 
[   60.205369] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   60.213713] Read of size 1 at addr ffff88b8b63e8451 by task systemd-udevd/3445 
[   60.220993]  
[   60.222506] CPU: 225 PID: 3445 Comm: systemd-udevd Not tainted 4.18.0-488.el8.x86_64+debug #1 
[   60.231098] Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/08/2021 
[   60.239684] Call Trace: 
[   60.242159]  dump_stack+0x5c/0x80 
[   60.245517]  print_address_description.constprop.6+0x1a/0x150 
[   60.251319]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   60.256942]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   60.262570]  kasan_report.cold.11+0x7f/0x118 
[   60.266893]  ? ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   60.272527]  ses_enclosure_data_process+0x91c/0xe80 [ses] 
[   60.277995]  ? __slab_free+0x2c1/0x2d0 
[   60.281796]  ? enclosure_register+0x288/0x398 [enclosure] 
[   60.287258]  ses_intf_add+0xa5f/0xf75 [ses] 
[   60.291498]  ? class_dev_iter_next+0x6c/0xd0 
[   60.295829]  class_interface_register+0x298/0x400 
[   60.300589]  ? class_dev_iter_next+0xd0/0xd0 
[   60.304978]  ? rcu_read_lock_bh_held+0xd0/0xd0 
[   60.309472]  ? 0xffffffffc2369000 
[   60.312829]  ses_init+0x12/0x1000 [ses] 
[   60.316705]  do_one_initcall+0x103/0x5f0 
[   60.320678]  ? perf_trace_initcall_level+0x420/0x420 
[   60.325703]  ? __kasan_kmalloc+0x82/0xa0 
[   60.329669]  ? kmem_cache_alloc_trace+0x188/0x2b0 
[   60.334418]  ? kasan_unpoison+0x21/0x50 
[   60.338311]  do_init_module+0x1d1/0x700 
[   60.342211]  load_module+0x37f6/0x5100 
[   60.346113]  ? layout_and_allocate+0x3990/0x3990 
[   60.350784]  ? sched_clock+0x5/0x10 
[   60.354307]  ? sched_clock_cpu+0x18/0x1e0 
[   60.358358]  ? find_held_lock+0x3a/0x1d0 
[   60.362332]  ? hlock_class+0x4e/0x120 
[   60.366056]  ? alloc_vm_area+0x120/0x120 
[   60.370017]  ? selinux_kernel_module_from_file+0x2a5/0x300 
[   60.375608]  ? __do_sys_init_module+0x1db/0x260 
[   60.380177]  __do_sys_init_module+0x1db/0x260 
[   60.384581]  ? load_module+0x5100/0x5100 
[   60.388585]  ? lockdep_hardirqs_on_prepare+0x298/0x3f0 
[   60.393769]  ? do_syscall_64+0x22/0x450 
[   60.397657]  do_syscall_64+0xa5/0x450 
[   60.401360]  entry_SYSCALL_64_after_hwframe+0x66/0xdb 
[   60.406458] RIP: 0033:0x7f20c5ea823e 
[   60.410069] Code: 48 8b 0d 4d 4c 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 af 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1a 4c 38 00 f7 d8 64 89 01 48 
[   60.428964] RSP: 002b:00007ffdab0edde8 EFLAGS: 00000246 ORIG_RAX: 00000000000000af 
[   60.436597] RAX: ffffffffffffffda RBX: 000055ee1d8b3aa0 RCX: 00007f20c5ea823e 
[   60.443788] RDX: 00007f20c6ad986d RSI: 000000000000c6f0 RDI: 000055ee1d7903f0 
[   60.450978] RBP: 00007f20c6ad986d R08: 000055ee1d871cf0 R09: 000055ee1d5c101a 
[   60.458167] R10: 0000000000000005 R11: 0000000000000246 R12: 000055ee1d7903f0 
[   60.465354] R13: 000055ee1d813490 R14: 0000000000020000 R15: 0000000000000000 
[   60.472593]  
[   60.474103] Allocated by task 3445: 
[   60.477623]  kasan_save_stack+0x1c/0x50 
[   60.481496]  __kasan_kmalloc+0x82/0xa0 
[   60.485278]  __kmalloc+0x157/0x270 
[   60.488715]  ses_intf_add+0x7a6/0xf75 [ses] 
[   60.492938]  class_interface_register+0x298/0x400 
[   60.497683]  ses_init+0x12/0x1000 [ses] 
[   60.501554]  do_one_initcall+0x103/0x5f0 
[   60.505512]  do_init_module+0x1d1/0x700 
[   60.509380]  load_module+0x37f6/0x5100 
[   60.513162]  __do_sys_init_module+0x1db/0x260 
[   60.517556]  do_syscall_64+0xa5/0x450 
[   60.521251]  entry_SYSCALL_64_after_hwframe+0x66/0xdb 
[   60.526347]  
[   60.527858] The buggy address belongs to the object at ffff88b8b63e8000 
[   60.527858]  which belongs to the cache kmalloc-2k of size 2048 
[   60.540465] The buggy address is located 1105 bytes inside of 
[   60.540465]  2048-byte region [ffff88b8b63e8000, ffff88b8b63e8800) 
[   60.552463] The buggy address belongs to the page: 
[   60.557293] page:ffffea00e2d8fa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00e2d8fa00 order:3 compound_mapcount:0 compound_pincount:0 
[   60.571738] flags: 0x57ffffc0008100(slab|head|node=1|zone=2|lastcpupid=0x1fffff) 
[   60.579200] raw: 0057ffffc0008100 dead000000000100 dead000000000200 ffff888100012100 
[   60.587005] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 
[   60.594807] page dumped because: kasan: bad access detected 
[   60.600421]  
[   60.601928] Memory state around the buggy address: 
[   60.606756]  ffff88b8b63e8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[   60.614034]  ffff88b8b63e8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[   60.621307] >ffff88b8b63e8400: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc 
[   60.628584]                                                  ^ 
[   60.634462]  ffff88b8b63e8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
[   60.641735]  ffff88b8b63e8500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 
[   60.649012] ==================================================================
Comment 12 ChanghuiZhong 2023-04-28 08:48:14 UTC 
verified this issue has been fixed on 4.18.0-489.el8.x86_64+debug
Comment 16 errata-xmlrpc 2023-11-14 15:37:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:7077
Note You need to log in before you can comment on or make changes to this bug.