Received: by 10.223.164.202 with SMTP id h10csp353039wrb;
        Thu, 30 Nov 2017 11:24:31 -0800 (PST)
X-Google-Smtp-Source: AGs4zMb0oY4vm0+LrgxDz0DwXDl7PbmFp0CAimhiPVY3/E6bOtoCNQbbV3dWJ+/OcUEajmj7M3GU
X-Received: by 10.84.132.46 with SMTP id 43mr3754669ple.126.1512069871634;
        Thu, 30 Nov 2017 11:24:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1512069871; cv=none;
        d=google.com; s=arc-20160816;
        b=Vsep36Od6tLtBLsaE/ZQ8R7Y46DXmh6fyYnXBt7FnC2lB1fj9ZAXls6TmSvb7z3Oug
         yKnZ7zA7Fs/O1wGazXGwTWuOUGXyStEYIDS4/kHFkwCgl5iKE6waVnbasWTncsmSz+xH
         Otl3JY6USBnOou96oBFExwO0RWFCnA+yaTBKq99g46E+VYl88JjHi19xbawZEwhuA8u8
         Ir6GCDSlQFnJpn6D+HqDgeOQWqYvO64lhtCi+dgrI2xwXrLjdGyiR2vMWbqeMXiJe+/7
         zfyr0HsJMSbsnvK89AY5CmAKE3laQEshBzbks9ol+n5We34qw/HhQkcqyuOFP45b4JZW
         DrQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=IdgUKLOL1JZATRVq9cX8WzGR6MBypZmNCBdEOzkNVeo=;
        b=0svAlzcWOsTIOur3sqMB1z0yYGhH/f3sSUydzSIMzAHzOo6kiCBT0Q13zDdLpC8mqx
         er43HzAY94lFfyWwe8cWfp4pzqxtXYdKJ4nBrM+lf6Kv2GsZTZt0IFf+5hbdR+u/5yUH
         Y+qvcnViuUMlhD2ifG/zX0yK7dZcN4QDuiRR/V4af6jgEPAxfusg/+ju6Jtmgyka2RSS
         skf+3tyOdKpg8UPso9VrlHV71OFypdm0v1F2AakcuEKN9bCJQiiS0eQ2Pyr4nuPvXRzb
         dM3saFSeGG3CLwDnEsvGV+P3DtOdM6s28rgQQSCR1KCRhFU6r1gNE4hbbMh/B7x0yu2B
         k7nA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=DmjLSMNO;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x6si3407990pgp.181.2017.11.30.11.24.18;
        Thu, 30 Nov 2017 11:24:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=DmjLSMNO;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751667AbdK3TXF (ORCPT <rfc822;alexandre.munsch.linux@gmail.com>
        + 99 others); Thu, 30 Nov 2017 14:23:05 -0500
Received: from mail-io0-f172.google.com ([209.85.223.172]:34228 "EHLO
        mail-io0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751468AbdK3TXC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Nov 2017 14:23:02 -0500
Received: by mail-io0-f172.google.com with SMTP id s19so8740168ioa.1
        for <linux-kernel@vger.kernel.org>; Thu, 30 Nov 2017 11:23:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=IdgUKLOL1JZATRVq9cX8WzGR6MBypZmNCBdEOzkNVeo=;
        b=DmjLSMNOv2XOI6lEZgB9tVhGAtm11zVF2APj9NwcQTqtc7+ShUpZMfrkgaUQxmEij3
         0Vi5AQ1B28d6XXefCaQLjdWuDT5017BzcX32FteIwtsp9uaKFL+x88hN6Rv85yYXZIIk
         4v8x5buRJpVmWGtYEsDpaR9pC8UC1xr25/ToL6CtFETfOf1oYMFwV2Vwn4Jwl003vRvo
         5FYoxbB/XuqFh3cEa1d+8KmENCMv4ywp9qeUr98V+2rHVsf6R6i+jZC6jbGwAyZ/TKCX
         h/WqIroHELqW+AtX11dsc3vLHcHk+AOlDdDYCJdBNQ9OKjQGzUnnggOOvYWH1AHTg6xa
         X/oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=IdgUKLOL1JZATRVq9cX8WzGR6MBypZmNCBdEOzkNVeo=;
        b=C5OY7vL7XksijsYY7JTSWqzX0WW6W3vfPToI+2TBFRr0rWs1qzt8N3fJU3H5YgwHht
         hDPkuSq+kKqpaCF+eQXZLW87vMYtgcB50+89UOuUc6b5sjmfA1IjbyZTzIJm9fKGOivj
         m1im1UpanDWOfxH23L5w6Aswv49dDZLt+mEwdayYbT6dDG/qtir2Ra+gNHg2gefxcsye
         JsMS/X+C/uUkRARLiMUW7lo8bbFO8Zk+0aNQUjuS0IEb7rdYWG3zdHRbwkgAfwKMs91C
         9ubh2CfHlyqrBwi2CF0AA9yAjJC/7EyhIhWu4j/NMN4GNLOY35WkVKOlXzWke6i84/hr
         TuPA==
X-Gm-Message-State: AJaThX7PAMAgJEFRve0Zb1Rz8hVR+t9guk5SwmPoF9Rq9amTfhG+EOjy
        0NR5wWilZcS8WuKIQDiR8kQ=
X-Received: by 10.107.129.150 with SMTP id l22mr9578060ioi.158.1512069781220;
        Thu, 30 Nov 2017 11:23:01 -0800 (PST)
Received: from localhost (71-82-217-70.dhcp.mdsn.wi.charter.com. [71.82.217.70])
        by smtp.gmail.com with ESMTPSA id f206sm2200204ioa.32.2017.11.30.11.22.59
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 30 Nov 2017 11:23:00 -0800 (PST)
Date:   Thu, 30 Nov 2017 13:22:57 -0600
From:   Dennis Zhou <dennisszhou@gmail.com>
To:     Kees Cook <keescook@chromium.org>
Cc:     Dmitry Vyukov <dvyukov@google.com>,
        Fengguang Wu <fengguang.wu@intel.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Linux-MM <linux-mm@kvack.org>, Tejun Heo <tj@kernel.org>,
        Christoph Lameter <cl@linux.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Josef Bacik <jbacik@fb.com>,
        LKML <linux-kernel@vger.kernel.org>, LKP <lkp@01.org>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Mark Rutland <mark.rutland@arm.com>
Subject: Re: [pcpu] BUG: KASAN: use-after-scope in
 pcpu_setup_first_chunk+0x1e3b/0x29e2
Message-ID: <20171130192257.GB1529@localhost>
References: <20171126063117.oytmra3tqoj5546u@wfg-t540p.sh.intel.com>
 <20171127210301.GA55812@localhost.corp.microsoft.com>
 <20171128124534.3jvuala525wvn64r@wfg-t540p.sh.intel.com>
 <20171129175430.GA58181@big-sky.attlocal.net>
 <CACT4Y+bji1JMJVJZdv=+bD8JZ1kqrmJ0PWXvHdYzRFcnAKDSGw@mail.gmail.com>
 <CAGXu5jLOojG_Nc50KhdHsXDQQ27G+kOPp6-5kQz7Yh5Vpgucnw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5jLOojG_Nc50KhdHsXDQQ27G+kOPp6-5kQz7Yh5Vpgucnw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Dmitry and Kees,

On Thu, Nov 30, 2017 at 10:10:41AM -0800, Kees Cook wrote:
> > Are we sure that structleak plugin is not at fault? If yes, then we
> > need to report this to https://gcc.gnu.org/bugzilla/ with instructions
> > on how to build/use the plugin.

I believe this is an issue with the structleak plugin and not gcc. The
bug does not show up if you compile without
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL.

It seems to be caused by the initializer not respecting the ASAN_MARK
calls. Therefore, if an inlined function gets called from a for loop,
the initializer code gets invoked bugging in the second iteration. Below
is the tree dump for the structleak plugin from the reproducer in the
previous email. In bb 2 of INIT_LIST_HEAD, the __u = {} is before the
unpoison call. This is inlined in bb 3 of main.

> 
> I thought from earlier in this thread that the bug just changed
> locations depending on the plugin. Does the issue still exist with the
> plugin disabled?
> 

The bug changing locations was me just verifying it was not an issue
with percpu memory. I manually unrolled the for loop to show that the
percpu bug disappears, but manifests later on. The issue does not exist
with the BY_REF_ALL config.

Thanks,
Dennis

----

;; Function __write_once_size (__write_once_size, funcdef_no=2, decl_uid=3117, cgraph_uid=2, symbol_order=2)

__attribute__((always_inline))
__write_once_size (volatile void * p, void * res, int size)
{
  unsigned char _1;
  short unsigned int _2;
  unsigned int _3;
  long unsigned int _4;
  long unsigned int _5;

  <bb 2> [0.00%]:
  switch (size_7(D)) <default: <L4> [0.00%], case 1: <L0> [0.00%], case 2: <L1> [0.00%], case 4: <L2> [0.00%], case 8: <L3> [0.00%]>

<L0> [0.00%]:
  _1 = MEM[(__u8 *)res_9(D)];
  MEM[(volatile __u8 *)p_10(D)] ={v} _1;
  goto <bb 8>; [0.00%]

<L1> [0.00%]:
  _2 = MEM[(__u16 *)res_9(D)];
  MEM[(volatile __u16 *)p_10(D)] ={v} _2;
  goto <bb 8>; [0.00%]

<L2> [0.00%]:
  _3 = MEM[(__u32 *)res_9(D)];
  MEM[(volatile __u32 *)p_10(D)] ={v} _3;
  goto <bb 8>; [0.00%]

<L3> [0.00%]:
  _4 = MEM[(__u64 *)res_9(D)];
  MEM[(volatile __u64 *)p_10(D)] ={v} _4;
  goto <bb 8>; [0.00%]

<L4> [0.00%]:
  _5 = (long unsigned int) size_7(D);
  __builtin_memcpy (p_10(D), res_9(D), _5);

  <bb 8> [0.00%]:
  return;

}



;; Function INIT_LIST_HEAD (INIT_LIST_HEAD, funcdef_no=3, decl_uid=3129, cgraph_uid=3, symbol_order=3)


Symbols to be put in SSA form
{ D.3149 }
Incremental SSA update started at block: 0
Number of blocks in CFG: 9
Number of blocks to update: 8 ( 89%)


__attribute__((always_inline))
INIT_LIST_HEAD (struct list_head * list)
{
  volatile void * p;
  void * res;
  int size;
  union 
  {
    struct list_head * __val;
    char __c[1];
  } __u;
  struct list_head * D.3135;
  struct list_head * * _1;
  struct list_head * _7;
  unsigned char _13;
  short unsigned int _14;
  unsigned int _15;
  long unsigned int _16;
  long unsigned int _17;

  <bb 2> [0.00%]:
  __u = {};
  ASAN_MARK (UNPOISON, &__u, 8);
  __u.__val = list_4(D);
  _1 = &list_4(D)->next;
  p_10 = _1;
  res_11 = &__u.__c;
  size_12 = 8;
  switch (size_12) <default: <L4> [0.00%], case 1: <L0> [0.00%], case 2: <L1> [0.00%], case 4: <L2> [0.00%], case 8: <L3> [0.00%]>

<L0> [0.00%]:
  _13 = MEM[(__u8 *)res_11];
  MEM[(volatile __u8 *)p_10] ={v} _13;
  goto <bb 8>; [0.00%]

<L1> [0.00%]:
  _14 = MEM[(__u16 *)res_11];
  MEM[(volatile __u16 *)p_10] ={v} _14;
  goto <bb 8>; [0.00%]

<L2> [0.00%]:
  _15 = MEM[(__u32 *)res_11];
  MEM[(volatile __u32 *)p_10] ={v} _15;
  goto <bb 8>; [0.00%]

<L3> [0.00%]:
  _16 = MEM[(__u64 *)res_11];
  MEM[(volatile __u64 *)p_10] ={v} _16;
  goto <bb 8>; [0.00%]

<L4> [0.00%]:
  _17 = (long unsigned int) size_12;
  __builtin_memcpy (p_10, res_11, _17);

  <bb 8> [0.00%]:
  _7 = __u.__val;
  ASAN_MARK (POISON, &__u, 8);
  list_4(D)->prev = list_4(D);
  return;

}



;; Function main (main, funcdef_no=4, decl_uid=3138, cgraph_uid=4, symbol_order=4)


Symbols to be put in SSA form
{ D.3150 }
Incremental SSA update started at block: 0
Number of blocks in CFG: 13
Number of blocks to update: 12 ( 92%)


main (int argc, char * * argv)
{
  struct list_head * D.3165;
  union 
  {
    struct list_head * __val;
    char __c[1];
  } __u;
  int size;
  void * res;
  volatile void * p;
  struct list_head * list;
  int i;
  struct list_head * p;
  int D.3146;
  long unsigned int _1;
  long unsigned int _2;
  struct list_head * _3;
  int _11;
  struct list_head * * _15;
  unsigned char _19;
  short unsigned int _20;
  unsigned int _21;
  long unsigned int _22;
  long unsigned int _23;
  struct list_head * _24;

  <bb 2> [0.00%]:
  __u = {};
  p_8 = malloc (160);
  i_9 = 0;
  goto <bb 10>; [0.00%]

  <bb 3> [0.00%]:
  _1 = (long unsigned int) i_4;
  _2 = _1 * 16;
  _3 = p_8 + _2;
  list_14 = _3;
  __u = {};
  ASAN_MARK (UNPOISON, &__u, 8);
  __u.__val = list_14;
  _15 = &list_14->next;
  p_16 = _15;
  res_17 = &__u.__c;
  size_18 = 8;
  switch (size_18) <default: <L8> [0.00%], case 1: <L4> [0.00%], case 2: <L5> [0.00%], case 4: <L6> [0.00%], case 8: <L7> [0.00%]>

<L4> [0.00%]:
  _19 = MEM[(__u8 *)res_17];
  MEM[(volatile __u8 *)p_16] ={v} _19;
  goto <bb 9>; [0.00%]

<L5> [0.00%]:
  _20 = MEM[(__u16 *)res_17];
  MEM[(volatile __u16 *)p_16] ={v} _20;
  goto <bb 9>; [0.00%]

<L6> [0.00%]:
  _21 = MEM[(__u32 *)res_17];
  MEM[(volatile __u32 *)p_16] ={v} _21;
  goto <bb 9>; [0.00%]

<L7> [0.00%]:
  _22 = MEM[(__u64 *)res_17];
  MEM[(volatile __u64 *)p_16] ={v} _22;
  goto <bb 9>; [0.00%]

<L8> [0.00%]:
  _23 = (long unsigned int) size_18;
  __builtin_memcpy (p_16, res_17, _23);

  <bb 9> [0.00%]:
  _24 = __u.__val;
  ASAN_MARK (POISON, &__u, 8);
  list_14->prev = list_14;
  i_13 = i_4 + 1;

  <bb 10> [0.00%]:
  # i_4 = PHI <i_9(2), i_13(9)>
  if (i_4 <= 9)
    goto <bb 3>; [0.00%]
  else
    goto <bb 11>; [0.00%]

  <bb 11> [0.00%]:
  free (p_8);
  _11 = 0;

<L3> [0.00%]:
  return _11;

}



;; Function _GLOBAL__sub_I_00099_0_main (_GLOBAL__sub_I_00099_0_main, funcdef_no=5, decl_uid=3178, cgraph_uid=3, symbol_order=8)

_GLOBAL__sub_I_00099_0_main ()
{
  <bb 2> [0.00%]:
  __builtin___asan_init ();
  __builtin___asan_version_mismatch_check_v8 ();
  return;

}



From 1585515564082596404@xxx Thu Nov 30 18:11:11 +0000 2017
X-GM-THRID: 1585109275602552972
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread