Re: [syzbot] [arm?] upstream test error: KASAN: invalid-access Write in setup_arch

From: Alexander Potapenko
Date: Wed Sep 04 2024 - 11:32:25 EST

Next message: Eric Dumazet: "Re: [syzbot] [net?] KASAN: slab-use-after-free Read in unix_stream_read_actor (2)"
Previous message: Cristian Marussi: "Re: [PATCH V2 2/2] firmware: arm_scmi: Skip adding bad duplicates"
In reply to: Samuel Holland: "Re: [syzbot] [arm?] upstream test error: KASAN: invalid-access Write in setup_arch"
Next in thread: Mark Rutland: "Re: [syzbot] [arm?] upstream test error: KASAN: invalid-access Write in setup_arch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >>>> Who knows enough about KASAN to dig into this?
> >>
> >> This looks related to Samuel's "arm64: Fix KASAN random tag seed
> >> initialization" patch that landed in August.
> >
> > f75c235565f9 arm64: Fix KASAN random tag seed initialization
> >
> > $ git describe --contains f75c235565f9 --match=v\*
> > v6.11-rc4~15^2
> >
> > So while this is in -rc4, -rc6 still has the same issue (with GCC --
> > clang is OK).
>
> I wouldn't expect it to be related to my patch. smp_build_mpidr_hash() gets
> called before kasan_init_sw_tags() both before and after applying my patch.

Hm, you are right, this problem indeed dates back to v6.9 or earlier.

> Since the variable in question is a stack variable, the random tag is generated
> by GCC, not the kernel function.
>
> Since smp_build_mpidr_hash() is inlined into setup_arch(), which also calls
> kasan_init(), maybe the issue is that GCC tries to allocate the local variable
> and write the tag to shadow memory before kasan_init() actually sets up the
> shadow memory?

Should it be inlined at all?
setup_arch() is a __no_sanitize_address function, and
smp_build_mpidr_hash() is an instrumented one.
The latter is not supposed to be inlined into the former, unless the
latter is always_inline
(https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67368,
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89124).

The report seems to go away if I mark smp_build_mpidr_hash() as noinline.
This doesn't explain, though, why Clang build doesn't work at all...

>
> Regards,
> Samuel
>
> >> I am a bit surprised the bug is reported before the
> >> "KernelAddressSanitizer initialized" banner is printed - I thought we
> >> shouldn't be reporting anything until the tool is fully initialized.
> >
> > Specially if this can report false positives...
> >
> > Thanks,
> >
> > M.
> >
>

--
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Next message: Eric Dumazet: "Re: [syzbot] [net?] KASAN: slab-use-after-free Read in unix_stream_read_actor (2)"
Previous message: Cristian Marussi: "Re: [PATCH V2 2/2] firmware: arm_scmi: Skip adding bad duplicates"
In reply to: Samuel Holland: "Re: [syzbot] [arm?] upstream test error: KASAN: invalid-access Write in setup_arch"
Next in thread: Mark Rutland: "Re: [syzbot] [arm?] upstream test error: KASAN: invalid-access Write in setup_arch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]