Received: by 2002:a05:7412:40d:b0:e2:908c:2ebd with SMTP id 13csp316014rdf; Tue, 21 Nov 2023 03:43:11 -0800 (PST) X-Google-Smtp-Source: AGHT+IFacPxxZCDCugAi55vJnz5O2l8n41z+OTalu1U9286zazfDtvTW4INiGhI28a2mn09YWiOz X-Received: by 2002:a05:6a20:1454:b0:187:fa62:bb2f with SMTP id a20-20020a056a20145400b00187fa62bb2fmr9870694pzi.21.1700566991156; Tue, 21 Nov 2023 03:43:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700566991; cv=none; d=google.com; s=arc-20160816; b=ewSGXXi9fqIkJpFfu/YKBBPMEVKJ+B40HWWhkHETjJXS9tVocfzL0G/V8YH8CY5wbl wDE4OMlKZIj86yB0Up5cx6lnQYggbTwT6sZoma1i2JvKM9vUyoGFkpYKeevzhKSutfpU OLRbxkZ9Fx4Q+S2AU/NayQw0gsu7e/4Gw2qTgJzjeXT1r3xmiIfIKAEXZkIkvpuBur+Q T1JfLf1a62B1/1tymRYYhdGVxs7VCPmPgTRv3k0RKqJ2K6P3WW1d5TdQvN+uDQsO8jMa mGemmWF821PF3JyWqM4oIw3Pbs+z7NoOQXZMY5DYsQ0bLDWcSiPkIMLeCpOPxk80G1A+ 0QoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=mrerObRNr02Wz0BKyv1zQtU+Sqe7aHjbDRQlpll/bVM=; fh=xxAdZFA3kpD8JT6li+kQ2VgtSvPlM+9gOUJxUWkIqaM=; b=xVrS0gm/80gO6nV/IBooqoV1K0w6QMuLZ40G64PoJp0T9jzbfv4CF2mh6EcfcOuthH 9yo9ctwEeBqzJz0zfHOX9kBPy1Jbc6o9ObRXFIsj6yw8fft2qdZMcQKabIbPEVi3aJr5 pokj02CcnAMvaaI5JNUtNYIqzS+7M1BAwJL33PR95PzC7Y0jB5RNZeqRrQCSfAqfRkFx TgtLImdEJogVOB+NAlcDB66btwnfv639jm0AHTvnJXSThyHn8i8GY1weqhIp8gSxkxST lJpgwTeGD/cdg7sRscgDosHu+FqorTmxqjkcQB8LBvNaTm+tBES8v50ohF4BBieR7W7P tAcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=phMVJX+8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id bd6-20020a170902830600b001c9daca280esi9964683plb.235.2023.11.21.03.43.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Nov 2023 03:43:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=phMVJX+8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id E67D9809842C; Tue, 21 Nov 2023 03:42:00 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229954AbjKULlv (ORCPT + 99 others); Tue, 21 Nov 2023 06:41:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229481AbjKULlt (ORCPT ); Tue, 21 Nov 2023 06:41:49 -0500 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 265759C for ; Tue, 21 Nov 2023 03:41:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=mrerObRNr02Wz0BKyv1zQtU+Sqe7aHjbDRQlpll/bVM=; b=phMVJX+8kFvgpyZAndCrvxhsV9 lJFF/DIhZkQ8+k+LVLuvbHgwni/KeDDiEJf0gb4HfAyDdAXj49+JTQ5OCNJnpFWH9dlBlXTKVkyZ9 180HXB3SUcKfwD0+GnB+099dp0Q5pNGaiHdA4XjtGB2UC7dKwYTN2cU0az5HxDjBcQwF4f41FfmrA OBUGQL4lQsue2AUlet+N6XAmFBjnRRMVS1wy76WRKeBT/UgLYBVjm4J3waLHHm/Jo8ZJXMmhJnyNF 5RW2mNK8bcVMhPV3XYPOwVLhXM3yGJw4BiGDF6b6Egw+5Whr6p82Ei9oLTIglSnf5PWM9QcZmyhJT tZm1307A==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.96 #2 (Red Hat Linux)) id 1r5P8C-00BQ92-0i; Tue, 21 Nov 2023 11:41:29 +0000 Received: by noisy.programming.kicks-ass.net (Postfix, from userid 1000) id 91B563006F6; Tue, 21 Nov 2023 12:41:26 +0100 (CET) Date: Tue, 21 Nov 2023 12:41:26 +0100 From: Peter Zijlstra To: Mark Rutland Cc: Kent Overstreet , Ingo Molnar , Will Deacon , Waiman Long , Boqun Feng , linux-kernel@vger.kernel.org Subject: Re: lockdep + kasan bug? Message-ID: <20231121114126.GH8262@noisy.programming.kicks-ass.net> References: <20231120233659.e36txv3fedbjn4sx@moria.home.lan> <20231121103614.GG8262@noisy.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Tue, 21 Nov 2023 03:42:01 -0800 (PST) On Tue, Nov 21, 2023 at 11:14:37AM +0000, Mark Rutland wrote: > > > 05117 The buggy address belongs to the variable: > > > 05117 nr_large_chain_blocks+0x3c/0x40 > > > > This is weird, nr_lage_chain_blocks is a single variable, if the > > compiler keeps layout according to the source file, this would be > > chaing_block_bucket[14] or something weird like that. > > I think the size here is bogus; IIUC that's determined form the start of the > next symbol, which happens to be 64 bytes away from the start of > nr_lage_chain_blocks. > > From the memory state dump, there's padding/redzone between two global objects, > and I think we're accessing a negative offset from the next object. More on > that below. > > > Perhaps figure out what it things the @size argument to > > add_chain_block() would be? > > > > > 05117 > > > 05117 The buggy address belongs to the virtual mapping at > > > 05117 [ffffffc081710000, ffffffc088861000) created by: > > > 05117 paging_init+0x260/0x820 > > > 05117 > > > 05117 The buggy address belongs to the physical page: > > > 05117 page:00000000ce625900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x41d7a > > > 05117 flags: 0x4000(reserved|zone=0) > > > 05117 page_type: 0xffffffff() > > > 05117 raw: 0000000000004000 fffffffe00075e88 fffffffe00075e88 0000000000000000 > > > 05117 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 > > > 05117 page dumped because: kasan: bad access detected > > > 05117 > > > 05117 Memory state around the buggy address: > > > 05117 ffffffc081b7a780: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 > > > 05117 ffffffc081b7a800: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 > > > 05117 >ffffffc081b7a880: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 > > > 05117 ^ > > In this dump: > > * '00' means all 8 bytes of an 8-byte region areaccessible > * '04' means the first 4 bytes on an 8-byte region are accessible > * 'f9' means KASAN_GLOBAL_REDZONE / padding between objects > > So at 0xffffffc081b7a880 we have a 4-byte object, 60 bytes of padding, then a > 64-byte object. > > I think the 4-byte object at 0xffffffc081b7a880 is nr_large_chain_blocks, and > the later 64-byte object is chain_block_buckets[]. Oh! That's very helpful, thanks! > I suspect the dodgy access is to chain_block_buckets[-1], which hits the last 4 > bytes of the redzone and gets (incorrectly/misleadingly) attributed to > nr_large_chain_blocks. That would mean @size == 0, at which point size_to_bucket() returns -1 and the above happens. alloc_chain_hlocks() has 'size - req', for the first with the precondition 'size >= rq', which allows the 0. The second is an iteration with the condition size > req, which does not allow the 0 case. So the first, thing, IIRC, this is trying to split a block, del_chain_block() takes what we need, and add_chain_block() puts back the remainder, except in the above case the remainder is 0 sized and things go sideways or so. Does the below help? --- diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c index e85b5ad3e206..151bd3de5936 100644 --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -3497,7 +3497,8 @@ static int alloc_chain_hlocks(int req) size = chain_block_size(curr); if (likely(size >= req)) { del_chain_block(0, size, chain_block_next(curr)); - add_chain_block(curr + req, size - req); + if (size > req) + add_chain_block(curr + req, size - req); return curr; } }