Le 01/02/2025 à 16:54, Erhard Furtner a écrit :
On Sat, 1 Feb 2025 16:14:04 +0100
Christophe Leroy <christophe.le...@csgroup.eu> wrote:
Thanks for the report.
That's something different. Previous report was:
BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8
This is what my patch fixes.
New report is:
BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0
Christophe
Ah, sorry... I have not been very thoroughly it seems!
The dmesg looked similarly so I thought it was the same issue.
This time the problem is a mixture of commit 465cabc97b42
("powerpc/code-patching: introduce patch_instructions()") and commit
c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU")
which is revealed by commit e4137f08816b ("mm, kasan, kmsan: instrument
copy_from/to_kernel_nofault")
Commit c28c15b6d28a is inspired by commit b3fd8e83ada0
("x86/alternatives: Use temporary mm for text poking") but misses the
kasan_disable_current() / kasan_enable_current() sequence.
Was not necessary because __patch_mem() is not instrumented. But commit
465cabc97b42 added use of copy_to_kernel_nofault() which is now
instrumented.
The problem is that commit c28c15b6d28a makes use of a special memory
area which is not kernel memory and it doesn't have any matching KASAN
shadow area. And because it is located below TASK_SIZE, in addition
kasan sees it as user memory.
Can you try the change below ?
diff --git a/arch/powerpc/lib/code-patching.c
b/arch/powerpc/lib/code-patching.c
index 8a378fc19074..f84e0337cc02 100644
--- a/arch/powerpc/lib/code-patching.c
+++ b/arch/powerpc/lib/code-patching.c
@@ -493,7 +493,9 @@ static int __do_patch_instructions_mm(u32 *addr, u32
*code, size_t len, bool rep
orig_mm = start_using_temp_mm(patching_mm);
+ kasan_disable_current();
err = __patch_instructions(patch_addr, code, len, repeat_instr);
+ kasan_enable_current();
/* context synchronisation performed by __patch_instructions */
stop_using_temp_mm(patching_mm, orig_mm);
