Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754374AbcKQRjh (ORCPT ); Thu, 17 Nov 2016 12:39:37 -0500 Received: from mx1.redhat.com ([209.132.183.28]:55972 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933271AbcKQRjb (ORCPT ); Thu, 17 Nov 2016 12:39:31 -0500 Date: Thu, 17 Nov 2016 08:01:50 -0600 From: Josh Poimboeuf To: Dmitry Vyukov Cc: Peter Zijlstra , Vince Weaver , "linux-kernel@vger.kernel.org" , Ingo Molnar , Arnaldo Carvalho de Melo , "davej@codemonkey.org.uk" , Stephane Eranian Subject: Re: perf: fuzzer KASAN unwind_get_return_address Message-ID: <20161117140150.o6vy7bsrbjkg2nzd@treble> References: <20161115205748.xtroftp55igs55bz@treble> <20161116130337.GT3142@twins.programming.kicks-ass.net> <20161116143746.zoxdxrfqvmx35wln@treble> <20161116144943.GB3117@twins.programming.kicks-ass.net> <20161116145849.GR3157@twins.programming.kicks-ass.net> <20161117044828.vedc3whqkuki624r@treble> <20161117090446.GC3142@twins.programming.kicks-ass.net> <20161117091341.GS3157@twins.programming.kicks-ass.net> <20161117093028.GT3157@twins.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0.1 (2016-04-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 17 Nov 2016 14:01:52 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 870 Lines: 20 On Thu, Nov 17, 2016 at 10:48:27AM +0100, Dmitry Vyukov wrote: > Just in case, there is currently a known KASAN false positive related > to longjmp's on GPFs. When a syscall hits GPF stack is unwound to > kernel entry point, this leaves a bunch of stray poisoned redzones on > the thread stack. They later cause false stack-out-of-bounds reports. > > But this does not seem to be the case here. Kernel is not tainted. And > shadow at the bottom of the reports looks sane. > > But if that's the case somehow, we will need to add > kasan_unpoison_remaining_stack() call before a longjmp like we did for > jprobe_return(): > https://groups.google.com/d/msg/kasan-dev/Hzox58yZ4MU/TOdFoWMuBQAJ I'm pretty sure this isn't a KASAN false positive. The unwinder does actually seem to be accessing a bad area of the stack, in the middle of a function's stack frame. -- Josh