From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Kees Cook <keescook@chromium.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Dennis Zhou <dennisszhou@gmail.com>,
Fengguang Wu <fengguang.wu@intel.com>,
Linux-MM <linux-mm@kvack.org>, Tejun Heo <tj@kernel.org>,
Christoph Lameter <cl@linux.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Josef Bacik <jbacik@fb.com>, LKML <linux-kernel@vger.kernel.org>,
LKP <lkp@01.org>, Andrey Ryabinin <aryabinin@virtuozzo.com>,
Mark Rutland <mark.rutland@arm.com>
Subject: Re: [pcpu] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0x1e3b/0x29e2
Date: Thu, 30 Nov 2017 19:58:45 +0000 [thread overview]
Message-ID: <CAKv+Gu-4JqNiHLo+EAbiEQ+jBNUW0iuyZQs=Do+KajKaibsZuw@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5j+om_oZ63OkJwGJNpVgBPxm9Nwc_JwbR3cpfugDPN7X+w@mail.gmail.com>
On 30 November 2017 at 19:56, Kees Cook <keescook@chromium.org> wrote:
> On Thu, Nov 30, 2017 at 11:22 AM, Dennis Zhou <dennisszhou@gmail.com> wrote:
>> Hi Dmitry and Kees,
>>
>> On Thu, Nov 30, 2017 at 10:10:41AM -0800, Kees Cook wrote:
>>> > Are we sure that structleak plugin is not at fault? If yes, then we
>>> > need to report this to https://gcc.gnu.org/bugzilla/ with instructions
>>> > on how to build/use the plugin.
>>
>> I believe this is an issue with the structleak plugin and not gcc. The
>> bug does not show up if you compile without
>> GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.
>>
>> It seems to be caused by the initializer not respecting the ASAN_MARK
>> calls. Therefore, if an inlined function gets called from a for loop,
>> the initializer code gets invoked bugging in the second iteration. Below
>> is the tree dump for the structleak plugin from the reproducer in the
>> previous email. In bb 2 of INIT_LIST_HEAD, the __u = {} is before the
>> unpoison call. This is inlined in bb 3 of main.
>
> Ah-ha, okay. Thanks for the close examination. Ard, is this something
> you have a few moment to take a look at?
>
I must admit that I am a bit out of my depth here. Also, I am quite
sure this is a pre-existing issue with the plugin which is triggered
more easily because it affects many more initializers.
WARNING: multiple messages have this Message-ID (diff)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Kees Cook <keescook@chromium.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Dennis Zhou <dennisszhou@gmail.com>,
Fengguang Wu <fengguang.wu@intel.com>,
Linux-MM <linux-mm@kvack.org>, Tejun Heo <tj@kernel.org>,
Christoph Lameter <cl@linux.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Josef Bacik <jbacik@fb.com>, LKML <linux-kernel@vger.kernel.org>,
LKP <lkp@01.org>, Andrey Ryabinin <aryabinin@virtuozzo.com>,
Mark Rutland <mark.rutland@arm.com>
Subject: Re: [pcpu] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0x1e3b/0x29e2
Date: Thu, 30 Nov 2017 19:58:45 +0000 [thread overview]
Message-ID: <CAKv+Gu-4JqNiHLo+EAbiEQ+jBNUW0iuyZQs=Do+KajKaibsZuw@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5j+om_oZ63OkJwGJNpVgBPxm9Nwc_JwbR3cpfugDPN7X+w@mail.gmail.com>
On 30 November 2017 at 19:56, Kees Cook <keescook@chromium.org> wrote:
> On Thu, Nov 30, 2017 at 11:22 AM, Dennis Zhou <dennisszhou@gmail.com> wrote:
>> Hi Dmitry and Kees,
>>
>> On Thu, Nov 30, 2017 at 10:10:41AM -0800, Kees Cook wrote:
>>> > Are we sure that structleak plugin is not at fault? If yes, then we
>>> > need to report this to https://gcc.gnu.org/bugzilla/ with instructions
>>> > on how to build/use the plugin.
>>
>> I believe this is an issue with the structleak plugin and not gcc. The
>> bug does not show up if you compile without
>> GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.
>>
>> It seems to be caused by the initializer not respecting the ASAN_MARK
>> calls. Therefore, if an inlined function gets called from a for loop,
>> the initializer code gets invoked bugging in the second iteration. Below
>> is the tree dump for the structleak plugin from the reproducer in the
>> previous email. In bb 2 of INIT_LIST_HEAD, the __u = {} is before the
>> unpoison call. This is inlined in bb 3 of main.
>
> Ah-ha, okay. Thanks for the close examination. Ard, is this something
> you have a few moment to take a look at?
>
I must admit that I am a bit out of my depth here. Also, I am quite
sure this is a pre-existing issue with the plugin which is triggered
more easily because it affects many more initializers.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: lkp@lists.01.org
Subject: Re: [pcpu] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0x1e3b/0x29e2
Date: Thu, 30 Nov 2017 19:58:45 +0000 [thread overview]
Message-ID: <CAKv+Gu-4JqNiHLo+EAbiEQ+jBNUW0iuyZQs=Do+KajKaibsZuw@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5j+om_oZ63OkJwGJNpVgBPxm9Nwc_JwbR3cpfugDPN7X+w@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1348 bytes --]
On 30 November 2017 at 19:56, Kees Cook <keescook@chromium.org> wrote:
> On Thu, Nov 30, 2017 at 11:22 AM, Dennis Zhou <dennisszhou@gmail.com> wrote:
>> Hi Dmitry and Kees,
>>
>> On Thu, Nov 30, 2017 at 10:10:41AM -0800, Kees Cook wrote:
>>> > Are we sure that structleak plugin is not at fault? If yes, then we
>>> > need to report this to https://gcc.gnu.org/bugzilla/ with instructions
>>> > on how to build/use the plugin.
>>
>> I believe this is an issue with the structleak plugin and not gcc. The
>> bug does not show up if you compile without
>> GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.
>>
>> It seems to be caused by the initializer not respecting the ASAN_MARK
>> calls. Therefore, if an inlined function gets called from a for loop,
>> the initializer code gets invoked bugging in the second iteration. Below
>> is the tree dump for the structleak plugin from the reproducer in the
>> previous email. In bb 2 of INIT_LIST_HEAD, the __u = {} is before the
>> unpoison call. This is inlined in bb 3 of main.
>
> Ah-ha, okay. Thanks for the close examination. Ard, is this something
> you have a few moment to take a look at?
>
I must admit that I am a bit out of my depth here. Also, I am quite
sure this is a pre-existing issue with the plugin which is triggered
more easily because it affects many more initializers.
next prev parent reply other threads:[~2017-11-30 19:58 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-26 6:31 [pcpu] BUG: KASAN: use-after-scope in pcpu_setup_first_chunk+0x1e3b/0x29e2 Fengguang Wu
2017-11-26 6:31 ` Fengguang Wu
2017-11-27 21:03 ` Dennis Zhou
2017-11-27 21:03 ` Dennis Zhou
2017-11-28 12:45 ` Fengguang Wu
2017-11-28 12:45 ` Fengguang Wu
2017-11-28 12:45 ` Fengguang Wu
2017-11-29 17:54 ` Dennis Zhou
2017-11-29 17:54 ` Dennis Zhou
2017-11-30 9:59 ` Dmitry Vyukov
2017-11-30 9:59 ` Dmitry Vyukov
2017-11-30 9:59 ` Dmitry Vyukov
2017-11-30 18:10 ` Kees Cook
2017-11-30 18:10 ` Kees Cook
2017-11-30 18:10 ` Kees Cook
2017-11-30 19:22 ` Dennis Zhou
2017-11-30 19:22 ` Dennis Zhou
2017-11-30 19:56 ` Kees Cook
2017-11-30 19:56 ` Kees Cook
2017-11-30 19:56 ` Kees Cook
2017-11-30 19:58 ` Ard Biesheuvel [this message]
2017-11-30 19:58 ` Ard Biesheuvel
2017-11-30 19:58 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKv+Gu-4JqNiHLo+EAbiEQ+jBNUW0iuyZQs=Do+KajKaibsZuw@mail.gmail.com' \
--to=ard.biesheuvel@linaro.org \
--cc=aryabinin@virtuozzo.com \
--cc=cl@linux.com \
--cc=dennisszhou@gmail.com \
--cc=dvyukov@google.com \
--cc=fengguang.wu@intel.com \
--cc=jbacik@fb.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@01.org \
--cc=mark.rutland@arm.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.