powerpc/kasan: Silence KASAN warnings in __get_wchan()
The following KASAN warning was reported in our kernel.
BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250
Read of size 4 at addr
d216f958 by task ps/14437
CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1
Call Trace:
[
daa63858] [
c0654348] dump_stack+0x9c/0xe4 (unreliable)
[
daa63888] [
c035cf0c] print_address_description.constprop.3+0x8c/0x570
[
daa63908] [
c035d6bc] kasan_report+0x1ac/0x218
[
daa63948] [
c00496e8] get_wchan+0x188/0x250
[
daa63978] [
c0461ec8] do_task_stat+0xce8/0xe60
[
daa63b98] [
c0455ac8] proc_single_show+0x98/0x170
[
daa63bc8] [
c03cab8c] seq_read_iter+0x1ec/0x900
[
daa63c38] [
c03cb47c] seq_read+0x1dc/0x290
[
daa63d68] [
c037fc94] vfs_read+0x164/0x510
[
daa63ea8] [
c03808e4] ksys_read+0x144/0x1d0
[
daa63f38] [
c005b1dc] ret_from_syscall+0x0/0x38
--- interrupt: c00 at 0x8fa8f4
LR = 0x8fa8cc
The buggy address belongs to the page:
page:
98ebcdd2 refcount:0 mapcount:0 mapping:
00000000 index:0x2 pfn:0x1216f
flags: 0x0()
raw:
00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000
raw:
00000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00
d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
^
d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
After looking into this issue, I find the buggy address belongs
to the task stack region. It seems KASAN has something wrong.
I look into the code of __get_wchan in x86 architecture and
find the same issue has been resolved by the commit
81539dfdd4b7 ("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
The solution could be applied to powerpc architecture too.
As Andrey Ryabinin said, get_wchan() is racy by design, it may
access volatile stack of running task, thus it may access
redzone in a stack frame and cause KASAN to warn about this.
Use READ_ONCE_NOCHECK() to silence these warnings.
Reported-by: Wanming Hu <huwanming@huaweil.com>
Signed-off-by: He Ying <heying24@huawei.com>
Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220121014418.155675-1-heying24@huawei.com