BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 (v6.13-rc6, PowerMac G4)

[Erhard Furtner]

On Sun, 2 Feb 2025 09:44:20 +0100
Christophe Leroy <christophe.leroy at csgroup.eu> wrote:

> This time the problem is a mixture of commit 465cabc97b42 
> ("powerpc/code-patching: introduce patch_instructions()") and commit 
> c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") 
> which is revealed by commit e4137f08816b ("mm, kasan, kmsan: instrument 
> copy_from/to_kernel_nofault")
> 
> Commit c28c15b6d28a is inspired by commit b3fd8e83ada0 
> ("x86/alternatives: Use temporary mm for text poking") but misses the 
> kasan_disable_current() / kasan_enable_current() sequence.
> 
> Was not necessary because __patch_mem() is not instrumented. But commit 
> 465cabc97b42 added use of copy_to_kernel_nofault() which is now 
> instrumented.
> 
> The problem is that commit c28c15b6d28a makes use of a special memory 
> area which is not kernel memory and it doesn't have any matching KASAN 
> shadow area. And because it is located below TASK_SIZE, in addition 
> kasan sees it as user memory.
> 
> Can you try the change below ?
> 
> diff --git a/arch/powerpc/lib/code-patching.c 
> b/arch/powerpc/lib/code-patching.c
> index 8a378fc19074..f84e0337cc02 100644
> --- a/arch/powerpc/lib/code-patching.c
> +++ b/arch/powerpc/lib/code-patching.c
> @@ -493,7 +493,9 @@ static int __do_patch_instructions_mm(u32 *addr, u32 
> *code, size_t len, bool rep
> 
>   	orig_mm = start_using_temp_mm(patching_mm);
> 
> +	kasan_disable_current();
>   	err = __patch_instructions(patch_addr, code, len, repeat_instr);
> +	kasan_enable_current();
> 
>   	/* context synchronisation performed by __patch_instructions */
>   	stop_using_temp_mm(patching_mm, orig_mm);
> 

Thanks! With this patch applied the KASAN hit is gone and I got no further KASAN hits on my Talos II during boot. Applied both patches on top of v6.13.1.

Regards,
Erhard