Machine freezes after running KASAN KUnit test 21 with a GCC 13.2 built kernel but runs tests fine with a CLANG 18 build kernel (v6.9-rc5, 32bit ppc, PowerMac G4 DP)

Erhard Furtner erhard_f at mailbox.org
Sun Apr 28 04:50:20 AEST 2024 

Greetings!

Building kernel v6.9-rc5 with GCC 13.2 + binutils 2.42 and running KASAN KUnit tests (CONFIG_KASAN_INLINE=y, CONFIG_KASAN_KUNIT_TEST=y) on my Dual CPU PowerMac G4 DP always freezes the machine after test 21 (see attached dmesg gcc_v02). Sometimes the G4 is able to reboot, most of the time it just freezes:

==================================================================
    ok 16 kmalloc_uaf_16
    # kmalloc_oob_in_memset: EXPECTATION FAILED at mm/kasan/kasan_test.c:566
    KASAN failure expected in "memset(ptr, 0, size + KASAN_GRANULE_SIZE)", but none occurred
    not ok 17 kmalloc_oob_in_memset
    # kmalloc_oob_memset_2: EXPECTATION FAILED at mm/kasan/kasan_test.c:496
    KASAN failure expected in "memset(ptr + size - 1, 0, memset_size)", but none occurred
    not ok 18 kmalloc_oob_memset_2
    # kmalloc_oob_memset_4: EXPECTATION FAILED at mm/kasan/kasan_test.c:514
    KASAN failure expected in "memset(ptr + size - 3, 0, memset_size)", but none occurred
    not ok 19 kmalloc_oob_memset_4
    # kmalloc_oob_memset_8: EXPECTATION FAILED at mm/kasan/kasan_test.c:532
    KASAN failure expected in "memset(ptr + size - 7, 0, memset_size)", but none occurred
    not ok 20 kmalloc_oob_memset_8
    # kmalloc_oob_memset_16: EXPECTATION FAILED at mm/kasan/kasan_test.c:550
    KASAN failure expected in "memset(ptr + size - 15, 0, memset_size)", but none occurred
    not ok 21 kmalloc_oob_memset_16
watchdog: Watchdog detected hard LOCKUP on cpu 1
Modules linked in:
Kernel panic - not syncing: Hard LOCKUP
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B            N 6.9.0-rc5-PMacG4 #1
Hardware name: PowerMac3,6 7455 0x80010303 PowerMac
Call Trace:
[c13d3ba0] [c0a76604] dump_stack_lvl+0x80/0xac (unreliable)
[c13d3bc0] [c0056e18] panic+0x1f8/0x40c
[c13d3c70] [c0057104] nmi_panic+0xd8/0x104
[c13d3ce0] [c0152f34] watchdog_hardlockup_check+0x1cc/0x220
[c13d3d20] [c0152a6c] watchdog_timer_fn+0xa8/0x35c
[c13d3d60] [c01080c0] __hrtimer_run_queues+0x208/0x2dc
[c13d3e00] [c0108eb0] hrtimer_interrupt+0x154/0x308
[c13d3e50] [c0010bc0] timer_interrupt+0x130/0x1a8
[c13d3e80] [c0004a98] Decrementer_virt+0x108/0x10c
--- interrupt: 900 at __hard_irq_enable+0x10/0x18
NIP:  c00b0a08 LR: c00b63d4 CTR: 00000000
REGS: c13d3e90 TRAP: 0900   Tainted: G    B            N  (6.9.0-rc5-PMacG4)
MSR:  00009032 <EE,ME,IR,DR,RI>  CR: 42000482  XER: 00000000

GPR00: c00b63d4 c13d3f50 c115f4a0 ffffffff 00000000 00000000 c0aa620c eed9b72f 
GPR08: 00000001 00009032 00000000 c13d3f30 22000002 00000000 00000000 00000004 
GPR16: 01b3c93b 00b9df54 01b3cdb5 ffbc0cc0 40d14000 0210d0c8 01b3cecc ff8811a8 
GPR24: 00000000 00b9df50 40d14000 0210d000 00000000 c13e0000 00000000 c115f4a0 
NIP [c00b0a08] __hard_irq_enable+0x10/0x18
LR [c00b63d4] do_idle+0x108/0x128
--- interrupt: 900
[c13d3f50] [c0aa65e8] default_idle_call+0x40/0x5c (unreliable)
[c13d3f60] [c00b63d4] do_idle+0x108/0x128
[c13d3f80] [c00b6618] cpu_startup_entry+0x3c/0x40
[c13d3fa0] [c0008e34] kernel_init+0x0/0x14c
[c13d3fc0] [c1003704] console_on_rootfs+0x0/0x84
[c13d3ff0] [000035d0] 0x35d0
Rebooting in 40 seconds..


When I build the same kernel .config with clang 18 + lld 18 the G4 just boots up fine, completing KASAN KUnit tests with just 1 failure. To get the kernels' binary size <32 MB (necessary on 32bit ppc) with KASAN_INLINE on the clang build I needed to modify the Makefile to build with -Oz instead of -Os.

Also when I use KASAN_OUTLINE the issue shows up. Only interesting thing is when I don't run the KASAN KUnit tests at bootup but later on via modprobe (see attached dmesg gcc_v02) I get different sorts of memory corruption on the G4, like:

BUG: KASAN: null-ptr-deref in account_system_index_time+0x54/0xd8
BUG maple_node (Tainted: G    B            N): Padding overwritten. 0xc54d7f00-0xc54d7fff @offset=16128
Read of size 4 at addr 00000110 by task /0
-----------------------------------------------------------------------------

Slab 0xeee95dd0 objects=21 used=21 fp=0x00000000 flags=0x840(slab|head|zone=0)
CPU: 0 PID: 1351 Comm: syslogd Tainted: G    B            N 6.9.0-rc5-PMacG4 #1
Hardware name: PowerMac3,6 7455 0x80010303 PowerMac
Call Trace:
[c31fb9e0] [c0b18324] dump_stack_lvl+0x80/0xac (unreliable)
[c31fba00] [c025368c] slab_err+0xac/0xc0
[c31fbaa0] [c025377c] slab_pad_check+0xdc/0x144
[c31fbad0] [c025388c] check_slab+0xa8/0xb0
[c31fbae0] [c0252cd0] free_to_partial_list+0x170/0x3c8
[c31fbb30] [c0274028] qlist_free_all+0xb4/0xd8
[c31fbb60] [c027446c] kasan_quarantine_reduce+0xe8/0x13c
[c31fbba0] [c027132c] __kasan_slab_alloc+0x2c/0x6c
[c31fbbc0] [c0255660] __kmalloc+0x21c/0x2e4
[c31fbc00] [c0634b48] iovec_from_user+0x4c/0xa8
[c31fbc30] [c0634c7c] __import_iovec+0xd8/0x1d4
[c31fbc70] [c0293178] vfs_writev+0xfc/0x29c
[c31fbd90] [c029340c] do_writev+0xf4/0x1a8
[c31fbe00] [c00150f4] system_call_exception+0x154/0x1c0
[c31fbf30] [c001c1ac] ret_from_syscall+0x0/0x2c
--- interrupt: c00 at 0x32f788
NIP:  0032f788 LR: 0032f75c CTR: 00267a2c
REGS: c31fbf40 TRAP: 0c00   Tainted: G    B            N  (6.9.0-rc5-PMacG4)
MSR:  0000d032 <EE,PR,ME,IR,DR,RI>  CR: 24002448  XER: 00000000

GPR00: 00000092 affbd330 a7aae360 0000000c affbd484 00000009 66298a1f 0a4841f6 
GPR08: 00000000 ffffffff affbd4c4 00560b00 40002862 0044fdf8 affbe7b6 00000000 
GPR16: 00000000 00000001 00000000 0066a170 00000000 affbde78 00000000 affbd5ec 
GPR24: 004501e0 00000060 00669edc affbd370 affbd484 00000009 0040ffac 00669eb0 
NIP [0032f788] 0x32f788
LR [0032f75c] 0x32f75c
--- interrupt: c00
Padding c54d7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding c54d7f10: 00 00 00 00 00 00 00 00 00 00 00 00 5a 5a 5a 5a  ............ZZZZ
Padding c54d7f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding c54d7f30: 00 00 00 00 00 00 00 00 00 00 00 00 5a 5a 5a 5a  ............ZZZZ
Padding c54d7f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding c54d7f50: 00 00 00 00 00 00 00 00 00 00 00 00 5a 5a 5a 5a  ............ZZZZ
Padding c54d7f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[...]

The issue also shows up on qemu, which I run via 'qemu-system-ppc -machine mac99,via=pmu -cpu 7450 -m 2G -nographic -append console=ttyS0 -kernel /var/cache/distfiles/vmlinux-6.9.0-rc5-PMacG4 -hda Debian-VM_g4.img'

Kernel .config + dmesg attached. 

Regards,
Erhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config_69-rc5_g4++
Type: application/octet-stream
Size: 112132 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20240427/b543ab32/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dmesg_69-rc5_g4_clang
Type: application/octet-stream
Size: 496187 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20240427/b543ab32/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dmesg_69-rc5_g4-gcc_v01
Type: application/octet-stream
Size: 114125 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20240427/b543ab32/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dmesg_69-rc5_g4-gcc_v02
Type: application/octet-stream
Size: 149941 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20240427/b543ab32/attachment-0007.obj>

More information about the Linuxppc-dev mailing list