Re: CONFIG_KASAN triggers ASAN bug in GCC 13.3.0 and 14.1.0

From: Uros Bizjak
Date: Thu Feb 27 2025 - 08:40:18 EST

Next message: Tamir Duberstein: "Re: [PATCH RESEND v3] drm/xe: xe_gen_wa_oob: replace program_invocation_short_name"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH v4 net-next] net: ethernet: mtk_ppe_offload: Allow QinQ, double ETH_P_8021Q only"
In reply to: Ingo Molnar: "Re: CONFIG_KASAN triggers ASAN bug in GCC 13.3.0 and 14.1.0"
Next in thread: Ingo Molnar: "Re: CONFIG_KASAN triggers ASAN bug in GCC 13.3.0 and 14.1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 27, 2025 at 1:46 PM Ingo Molnar <mingo@xxxxxxxxxx> wrote:
>
>
> * Uros Bizjak <ubizjak@xxxxxxxxx> wrote:
>
> > On Thu, Feb 27, 2025 at 1:22 PM Ingo Molnar <mingo@xxxxxxxxxx> wrote:
> > >
> > >
> > > * Uros Bizjak <ubizjak@xxxxxxxxx> wrote:
> > >
> > > > On Mon, Dec 16, 2024 at 5:20 PM Matt Fleming <matt@xxxxxxxxxxxxxxxx> wrote:
> > > > >
> > > > > On Sat, Dec 14, 2024 at 1:17 AM Uros Bizjak <ubizjak@xxxxxxxxx> wrote:
> > > > > >
> > > > > > Does your config include CONFIG_UBSAN_BOOL=y ?
> > > > >
> > > > > Yes, it does!
> > > > >
> > > > > > There is a rare interaction between CONFIG_KASAN and CONFIG_UBSAN_BOOL
> > > > > > (aka -fsanitize=bool), reported in [1] and fixed for gcc-14.2 in [2].
> > > > > >
> > > > > > [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111736#c42
> > > > > >
> > > > > > [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115172
> > > > > >
> > > > > > Otherwise, please attach your .config, and I'll look into this issue.
> > > > >
> > > > > Thanks. Disabling CONFIG_UBSAN_BOOL does indeed make the kernels boot again.
> > > > >
> > > > > Should CONFIG_UBSAN_BOOL have a dependency on GCC 14.4+ ?
> > > >
> > > > No, this is a very rare Oops that triggers only with gcc-14.1 version
> > > > and only when both KASAN and UBSAN are enabled. This is actually the
> > > > problem with sanitization of the percpu address when named address
> > > > spaces are enabled (IOW, sanitization of __seg_gs prefixed address).
> > > > UBSAN creates a temporary in memory, but forgets to copy memory tags,
> > > > including named address space qualifier from the original. Later ASAN
> > > > sanitizes this location as a normal variable (due to missing
> > > > qualifier), but actually should be disabled for __seg_gs prefixed
> > > > addresses.
> > > >
> > > > Your report is only *the second* since sanitizers were re-enabled with
> > > > named address spaces. gcc-14.2 that includes the fix is available
> > > > since August 2024, and since sanitizers are strictly development
> > > > tools, my proposed solution would be to simply upgrade the compiler to
> > > > gcc-14.2 release.
> > >
> > > So unless this is difficult to test for, it would be nice to have a
> > > compiler version cutoff for the feature. Especially if it's been
> > > reported twice already, chances are that a lot more people have
> > > experienced it already.
> > >
> > > The kernel build should avoid this known oops automatically.
> >
> > The patch could be as simple as:
> >
> > --cut here--
> > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> > index 95ea2b4b95db..c94c37889917 100644
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -2370,7 +2370,7 @@ config CC_HAS_NAMED_AS
> > depends on CC_IS_GCC
> >
> > config CC_HAS_NAMED_AS_FIXED_SANITIZERS
> > - def_bool CC_IS_GCC && GCC_VERSION >= 130300
> > + def_bool CC_IS_GCC && GCC_VERSION >= 140200
> >
> > config USE_X86_SEG_SUPPORT
> > def_bool y
> > --cut here--
> >
> > but it will disable all sanitizers for a very rare Oops that needs the
> > combination of CONFIG_KASAN and CONFIG_UBSAN_BOOL.
>
> Can we not limit the version quirk to KASAN && UBSAN_BOOL?

I am testing the attached patch that resolves the issue.

Thanks,
Uros.
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 95ea2b4b95db..b92e0c3f7f19 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2369,18 +2369,20 @@ config CC_HAS_NAMED_AS
def_bool $(success,echo 'int __seg_fs fs; int __seg_gs gs;' | $(CC) -x c - -S -o /dev/null)
depends on CC_IS_GCC

+#
+# -fsanitize=kernel-address (KASAN) and -fsanitize=thread (KCSAN)
+# are incompatible with named address spaces with GCC < 13.3
+# (see GCC PR sanitizer/111736 and also PR sanitizer/115172).
+#
+
config CC_HAS_NAMED_AS_FIXED_SANITIZERS
- def_bool CC_IS_GCC && GCC_VERSION >= 130300
+ def_bool y
+ depends on !(KASAN || KCSAN) || GCC_VERSION >= 130300
+ depends on !(KASAN && UBSAN_BOOL) || GCC_VERSION >= 140200

config USE_X86_SEG_SUPPORT
- def_bool y
- depends on CC_HAS_NAMED_AS
- #
- # -fsanitize=kernel-address (KASAN) and -fsanitize=thread
- # (KCSAN) are incompatible with named address spaces with
- # GCC < 13.3 - see GCC PR sanitizer/111736.
- #
- depends on !(KASAN || KCSAN) || CC_HAS_NAMED_AS_FIXED_SANITIZERS
+ def_bool CC_HAS_NAMED_AS
+ depends on CC_HAS_NAMED_AS_FIXED_SANITIZERS

config CC_HAS_SLS
def_bool $(cc-option,-mharden-sls=all)

Next message: Tamir Duberstein: "Re: [PATCH RESEND v3] drm/xe: xe_gen_wa_oob: replace program_invocation_short_name"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH v4 net-next] net: ethernet: mtk_ppe_offload: Allow QinQ, double ETH_P_8021Q only"
In reply to: Ingo Molnar: "Re: CONFIG_KASAN triggers ASAN bug in GCC 13.3.0 and 14.1.0"
Next in thread: Ingo Molnar: "Re: CONFIG_KASAN triggers ASAN bug in GCC 13.3.0 and 14.1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]