Re: [PATCH] kasan: Improve free meta storage in Generic KASAN

From: Juntong Deng
Date: Tue Nov 21 2023 - 11:03:36 EST


On 2023/11/21 23:06, kernel test robot wrote:


Hello,

kernel test robot noticed "BUG_kmalloc-rnd-#-#(Not_tainted):Object_padding_overwritten" on:

commit: cb53c2a822df305ec84b291e4c4a348c7d394b89 ("[PATCH] kasan: Improve free meta storage in Generic KASAN")
url: https://github.com/intel-lab-lkp/linux/commits/Juntong-Deng/kasan-Improve-free-meta-storage-in-Generic-KASAN/20231120-044846
base: https://git.kernel.org/cgit/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/all/VI1P193MB0752DE2CCD9046B5FED0AA8E99B5A@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
patch subject: [PATCH] kasan: Improve free meta storage in Generic KASAN

in testcase: boot

compiler: clang-16
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+-------------------------------------------------------------+------------+------------+
| | a350566908 | cb53c2a822 |
+-------------------------------------------------------------+------------+------------+
| BUG_kmalloc-rnd-#-#(Not_tainted):Object_padding_overwritten | 0 | 17 |
| BUG_kmalloc-rnd-#-#(Tainted:G_B):Object_padding_overwritten | 0 | 21 |
| BUG_kmalloc-#(Tainted:G_B):Object_padding_overwritten | 0 | 21 |
| BUG_kmalloc-#(Not_tainted):Object_padding_overwritten | 0 | 4 |
+-------------------------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202311212204.c9c64d29-oliver.sang@xxxxxxxxx


[ 1.104299][ T0] ** administrator! **
[ 1.104884][ T0] ** **
[ 1.105469][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 1.106054][ T0] **********************************************************
[ 1.109891][ T0] =============================================================================
[ 1.110637][ T0] BUG kmalloc-rnd-09-8 (Not tainted): Object padding overwritten
[ 1.111258][ T0] -----------------------------------------------------------------------------
[ 1.111258][ T0]
[ 1.112154][ T0] 0xffff888100078074-0xffff88810007807b @offset=116. First byte 0x0 instead of 0x5a
[ 1.112904][ T0] Slab 0xffffea0004001e00 objects=30 used=1 fp=0xffff888100078090 flags=0x8000000000000800(slab|zone=2)
[ 1.113798][ T0] Object 0xffff888100078008 @offset=8 fp=0xffff888100078090
[ 1.113798][ T0]
[ 1.114555][ T0] Redzone ffff888100078000: bb bb bb bb bb bb bb bb ........
[ 1.115329][ T0] Object ffff888100078008: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk.
[ 1.116098][ T0] Redzone ffff888100078010: bb bb bb bb bb bb bb bb ........
[ 1.116868][ T0] Padding ffff888100078074: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
[ 1.117691][ T0] Padding ffff888100078084: 5a 5a 5a 5a ZZZZ
[ 1.118432][ T0] CPU: 0 PID: 0 Comm: swapper Not tainted 6.7.0-rc1-00145-gcb53c2a822df #1
[ 1.119122][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 1.119953][ T0] Call Trace:
[ 1.120209][ T0] <TASK>
[ 1.120439][ T0] dump_stack_lvl+0xa2/0x100
[ 1.120808][ T0] check_bytes_and_report+0x113/0x160
[ 1.121240][ T0] check_object+0x1e1/0x380
[ 1.121599][ T0] alloc_debug_processing+0x10e/0x1f0
[ 1.122027][ T0] ___slab_alloc+0x81b/0xdd0
[ 1.122392][ T0] ? init_freelist_randomization+0x11/0x50
[ 1.122854][ T0] ? cache_random_seq_create+0x49/0x110
[ 1.123308][ T0] ? cache_random_seq_create+0x49/0x110
[ 1.123751][ T0] __kmem_cache_alloc_node+0x161/0x1f0
[ 1.124188][ T0] ? cache_random_seq_create+0x49/0x110
[ 1.124637][ T0] __kmalloc+0xb5/0x1b0
[ 1.124968][ T0] cache_random_seq_create+0x49/0x110
[ 1.125395][ T0] init_cache_random_seq+0x2c/0xc0
[ 1.125809][ T0] init_freelist_randomization+0x2d/0x50
[ 1.126259][ T0] kmem_cache_init+0xac/0x120
[ 1.126630][ T0] mm_core_init+0x2a/0x60
[ 1.126972][ T0] start_kernel+0x156/0x370
[ 1.127334][ T0] x86_64_start_reservations+0x20/0x20
[ 1.127770][ T0] x86_64_start_kernel+0x59/0x60
[ 1.128162][ T0] secondary_startup_64_no_verify+0x167/0x16b
[ 1.128652][ T0] </TASK>
[ 1.128887][ T0] Disabling lock debugging due to kernel taint
[ 1.129373][ T0] FIX kmalloc-rnd-09-8: Restoring Object padding 0xffff888100078074-0xffff88810007807b=0x5a
[ 1.130544][ T0] =============================================================================
[ 1.131270][ T0] BUG kmalloc-rnd-09-8 (Tainted: G B ): Object padding overwritten
[ 1.132002][ T0] -----------------------------------------------------------------------------
[ 1.132002][ T0]
[ 1.132893][ T0] 0xffff8881000780fc-0xffff888100078103 @offset=252. First byte 0x0 instead of 0x5a
[ 1.133638][ T0] Slab 0xffffea0004001e00 objects=30 used=2 fp=0xffff888100078118 flags=0x8000000000000800(slab|zone=2)
[ 1.134524][ T0] Object 0xffff888100078090 @offset=144 fp=0xffff888100078118
[ 1.134524][ T0]
[ 1.135292][ T0] Redzone ffff888100078088: bb bb bb bb bb bb bb bb ........
[ 1.136060][ T0] Object ffff888100078090: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk.
[ 1.136827][ T0] Redzone ffff888100078098: bb bb bb bb bb bb bb bb ........
[ 1.137596][ T0] Padding ffff8881000780fc: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
[ 1.138418][ T0] Padding ffff88810007810c: 5a 5a 5a 5a ZZZZ
[ 1.139167][ T0] CPU: 0 PID: 0 Comm: swapper Tainted: G B 6.7.0-rc1-00145-gcb53c2a822df #1
[ 1.139971][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 1.140800][ T0] Call Trace:
[ 1.141054][ T0] <TASK>
[ 1.141281][ T0] dump_stack_lvl+0xa2/0x100
[ 1.141643][ T0] check_bytes_and_report+0x113/0x160
[ 1.142068][ T0] check_object+0x1e1/0x380
[ 1.142423][ T0] alloc_debug_processing+0x10e/0x1f0
[ 1.142848][ T0] ___slab_alloc+0x4fe/0xdd0
[ 1.143214][ T0] ? cache_random_seq_create+0x49/0x110
[ 1.143654][ T0] ? cache_random_seq_create+0x49/0x110
[ 1.144092][ T0] __kmem_cache_alloc_node+0x161/0x1f0
[ 1.144524][ T0] ? cache_random_seq_create+0x49/0x110
[ 1.144962][ T0] __kmalloc+0xb5/0x1b0
[ 1.145289][ T0] cache_random_seq_create+0x49/0x110
[ 1.145713][ T0] init_cache_random_seq+0x2c/0xc0
[ 1.146115][ T0] init_freelist_randomization+0x2d/0x50
[ 1.146561][ T0] kmem_cache_init+0xac/0x120
[ 1.146928][ T0] mm_core_init+0x2a/0x60
[ 1.147272][ T0] start_kernel+0x156/0x370
[ 1.147625][ T0] x86_64_start_reservations+0x20/0x20
[ 1.148057][ T0] x86_64_start_kernel+0x59/0x60
[ 1.148447][ T0] secondary_startup_64_no_verify+0x167/0x16b
[ 1.148929][ T0] </TASK>


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20231121/202311212204.c9c64d29-oliver.sang@xxxxxxxxx




This bug is caused by the fact that after improving the free meta
storage, kasan_metadata_size() continues to calculate the metadata
size according to the previous storage method.

I will fix this in a separate patch.