Bug 2273668 - KASAN detects user-memory-access on P9 VM in memset32
Summary: KASAN detects user-memory-access on P9 VM in memset32
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: ppc64le
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: PPCTracker
TreeView+ depends on / blocked
 
Reported: 2024-04-05 14:09 UTC by Jakub Čajka
Modified: 2024-04-05 15:07 UTC (History)
16 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)
dmesg of fedora debug kernel (47.15 KB, text/plain)
2024-04-05 14:12 UTC, Jakub Čajka 		no flags Details
View All

Description Jakub Čajka 2024-04-05 14:09:58 UTC 
1. Please describe the problem:
With debugging enabled on ppc64le, KVM guest's kernel KASAN detects user-memory-access in memset32

2. What is the Version-Release number of the kernel:
6.9.0-0.rc0.20240321git23956900041d.12.fc41.ppc64le+debug

3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :
I haven't bisected it yet, working on it along with upstream report.

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:
Yes, always reproducible.
Enable debug kernel build via small patch.
"
diff --git a/kernel.spec b/kernel.spec
index ed18cc2bb..d9be2adcb 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -462,9 +462,6 @@ Summary: The Linux kernel
 
 %if 0%{?fedora}
 # don't do debug builds on anything but aarch64 and x86_64
-%ifnarch aarch64 x86_64
-%define with_debug 0
-%endif
 %endif
 
 %define all_configs %{name}-%{specrpmversion}-*.config
"
Or enable eln repository.

Install the debug kernel in a KVM VM on Power9 host.

Reboot to the debug kernel on the VM.

KASAN detects the issue.

5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:
With debug enabled yes.

6. Are you running any modules that not shipped with directly Fedora's kernel?:
No

7. Please attach the kernel logs. You can get the complete kernel log
   for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the
   issue occurred on a previous boot, use the journalctl ``-b`` flag.
With debug enabled kernel:
Mar 27 08:43:12 localhost kernel: ==================================================================
Mar 27 08:43:12 localhost kernel: BUG: KASAN: user-memory-access in memset32+0x70/0xc0
Mar 27 08:43:12 localhost kernel: Write of size 4 at addr 0000684fba1e0a40 by task kworker/4:1/78
Mar 27 08:43:12 localhost kernel: 
Mar 27 08:43:12 localhost kernel: CPU: 4 PID: 78 Comm: kworker/4:1 Not tainted 6.9.0-0.rc0.20240321git23956900041d.12.fc41.ppc64le+debug #1
Mar 27 08:43:12 localhost kernel: Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
Mar 27 08:43:12 localhost kernel: Workqueue: events bpf_prog_free_deferred
Mar 27 08:43:12 localhost kernel: Call Trace:
Mar 27 08:43:12 localhost kernel: [c0000000103b7800] [c000000001dbada8] dump_stack_lvl+0x100/0x184 (unreliable)
Mar 27 08:43:12 localhost kernel: [c0000000103b7830] [c000000000839250] print_report+0x34c/0xc78
Mar 27 08:43:12 localhost kernel: [c0000000103b7930] [c000000000839d2c] kasan_report+0xf4/0x1f4
Mar 27 08:43:12 localhost kernel: [c0000000103b7a00] [c00000000083bf2c] __asan_store4+0xbc/0xd0
Mar 27 08:43:12 localhost kernel: [c0000000103b7a20] [c000000001df4c9c] memset32+0x70/0xc0
Mar 27 08:43:12 localhost kernel: [c0000000103b7a70] [c0000000000d6948] __patch_instructions.isra.0+0x4c/0x100
Mar 27 08:43:12 localhost kernel: [c0000000103b7aa0] [c0000000000d6b6c] patch_instructions+0x170/0x674
Mar 27 08:43:12 localhost kernel: [c0000000103b7b80] [c000000000162e80] bpf_arch_text_invalidate+0x84/0xec
Mar 27 08:43:12 localhost kernel: [c0000000103b7bd0] [c000000000560a2c] bpf_prog_pack_free+0x138/0x3ac
Mar 27 08:43:12 localhost kernel: [c0000000103b7c70] [c000000000561038] bpf_jit_binary_pack_free+0x50/0x9c
Mar 27 08:43:12 localhost kernel: [c0000000103b7cb0] [c000000000162fc8] bpf_jit_free+0xe0/0x198
Mar 27 08:43:12 localhost kernel: [c0000000103b7cf0] [c00000000056008c] bpf_prog_free_deferred+0x2f4/0x354
Mar 27 08:43:12 localhost kernel: [c0000000103b7d50] [c000000000203b44] process_one_work+0x584/0xde4
Mar 27 08:43:12 localhost kernel: [c0000000103b7eb0] [c0000000002051d0] worker_thread+0x384/0x6e4
Mar 27 08:43:12 localhost kernel: [c0000000103b7f80] [c00000000021c198] kthread+0x21c/0x228
Mar 27 08:43:12 localhost kernel: [c0000000103b7fe0] [c00000000000dee8] start_kernel_thread+0x14/0x18
Mar 27 08:43:12 localhost kernel: ==================================================================
Mar 27 08:43:12 localhost kernel: Disabling lock debugging due to kernel taint

With eln debug kernel:

Mar 27 15:37:02 localhost kernel: ==================================================================
Mar 27 15:37:02 localhost kernel: BUG: KASAN: user-memory-access in memset32+0x70/0xc0
Mar 27 15:37:02 localhost kernel: Write of size 4 at addr 00003c9f83980a40 by task kworker/4:1/73
Mar 27 15:37:02 localhost kernel: 
Mar 27 15:37:02 localhost kernel: CPU: 4 PID: 73 Comm: kworker/4:1 Not tainted 6.9.0-0.rc1.20240326git928a87efa423.17.eln136.ppc64le+debug #1
Mar 27 15:37:02 localhost kernel: Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
Mar 27 15:37:02 localhost kernel: Workqueue: events bpf_prog_free_deferred
Mar 27 15:37:02 localhost kernel: Call Trace:
Mar 27 15:37:02 localhost kernel: [c0000000101f77d0] [c000000001903084] dump_stack_lvl+0xc8/0x130 (unreliable)
Mar 27 15:37:02 localhost kernel: [c0000000101f7810] [c000000000858090] print_report+0x23c/0x27c
Mar 27 15:37:02 localhost kernel: [c0000000101f78f0] [c0000000008574c0] kasan_report+0xe0/0x2c0
Mar 27 15:37:02 localhost kernel: [c0000000101f7a00] [c000000000859fac] __asan_store4+0xbc/0xd0
Mar 27 15:37:02 localhost kernel: [c0000000101f7a20] [c00000000193e5e0] memset32+0x70/0xc0
Mar 27 15:37:02 localhost kernel: [c0000000101f7a70] [c0000000000d4b9c] __patch_instructions.isra.0+0x4c/0x100
Mar 27 15:37:02 localhost kernel: [c0000000101f7aa0] [c0000000000d4df8] patch_instructions+0x1a8/0x610
Mar 27 15:37:02 localhost kernel: [c0000000101f7b80] [c000000000164984] bpf_arch_text_invalidate+0x84/0xf0
Mar 27 15:37:02 localhost kernel: [c0000000101f7bd0] [c000000000577a3c] bpf_prog_pack_free+0x12c/0x3a0
Mar 27 15:37:02 localhost kernel: [c0000000101f7c70] [c000000000578050] bpf_jit_binary_pack_free+0x50/0xa0
Mar 27 15:37:02 localhost kernel: [c0000000101f7cb0] [c000000000164ad0] bpf_jit_free+0xe0/0x1a0
Mar 27 15:37:02 localhost kernel: [c0000000101f7cf0] [c00000000057708c] bpf_prog_free_deferred+0x2fc/0x360
Mar 27 15:37:02 localhost kernel: [c0000000101f7d50] [c0000000002060b0] process_one_work+0x580/0xe40
Mar 27 15:37:02 localhost kernel: [c0000000101f7eb0] [c0000000002077b0] worker_thread+0x380/0x6e0
Mar 27 15:37:02 localhost kernel: [c0000000101f7f80] [c00000000021dd7c] kthread+0x21c/0x230
Mar 27 15:37:02 localhost kernel: [c0000000101f7fe0] [c00000000000dee8] start_kernel_thread+0x14/0x18
Mar 27 15:37:02 localhost kernel: ==================================================================
Mar 27 15:37:02 localhost kernel: Disabling lock debugging due to kernel taint


Please keep this BZ open for our tracking of this issue. I'm aware that debug is not being currently supported configuration in Fedora. Feel free to assign this to me. I do plan to bring this issue up with upstream.

Reproducible: Always
Comment 1 Jakub Čajka 2024-04-05 14:12:28 UTC 
Created attachment 2025427 [details]
dmesg of fedora debug kernel
Note You need to log in before you can comment on or make changes to this bug.