lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <aSXKqJTkZPNskFop@MiWiFi-R3L-srv>
Date: Tue, 25 Nov 2025 23:26:32 +0800
From: Baoquan He <bhe@...hat.com>
To: kasan-dev@...glegroups.com, bpf@...r.kernel.org
Cc: ryabinin.a.a@...il.com, glider@...gle.com, andreyknvl@...il.com,
	dvyukov@...gle.com, vincenzo.frascino@....com,
	linux-kernel@...r.kernel.org, ast@...nel.org, daniel@...earbox.net
Subject: System is broken in KASAN sw_tags mode during bootup

Hi,

I saw this on tag: next-20251125, next/master. The complete kernel
config is attachd in attachment. If any other info is needed, please
reply to note.

=====abstracted config====
CONFIG_KASAN=y
CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX=y
# CONFIG_KASAN_GENERIC is not set
CONFIG_KASAN_SW_TAGS=y
CONFIG_KASAN_INLINE=y
CONFIG_KASAN_STACK=y
CONFIG_KASAN_VMALLOC=y
==========================

==========abstracted boot log============
[   25.041517] ========================
** replaying previous printk message **
[   25.041517] ==================================================================
[   25.041548] BUG: KASAN: invalid-access in adjust_insn_aux_data.isra.0+0xd0/0x170
[   25.041622] Write of size 6160 at addr f2ff80008012b108 by task systemd/1
[   25.041667] Pointer tag: [f2], memory tag: [65]
[   25.041693] 
[   25.041721] CPU: 11 UID: 0 PID: 1 Comm: systemd Not tainted 6.18.0-rc7-next-20251125 #1 PREEMPT(voluntary) 
[   25.041788] Hardware name: CRAY CS500/CMUD        , BIOS 1.4.0 Jun 17 2020
[   25.041817] Call trace:
[   25.041837]  show_stack+0x20/0x40 (C)
[   25.041905]  dump_stack_lvl+0x7c/0xa0
[   25.041969]  print_address_description.isra.0+0x90/0x2b8
[   25.042054]  print_report+0x120/0x208
[   25.042128]  kasan_report+0xc8/0x110
[   25.042204]  kasan_check_range+0x7c/0xa0
[   25.042266]  __asan_memmove+0x54/0x98
[   25.042341]  adjust_insn_aux_data.isra.0+0xd0/0x170
[   25.042416]  bpf_patch_insn_data+0xe4/0x360
[   25.042486]  convert_ctx_accesses+0x8d8/0x10c0
[   25.042562]  bpf_check+0x1458/0x1910
[   25.042623]  bpf_prog_load+0x958/0x1260
[   25.042700]  __sys_bpf+0x954/0xdd8
[   25.042758]  __arm64_sys_bpf+0x50/0xa0
[   25.042818]  invoke_syscall.constprop.0+0x88/0x148
[   25.042890]  el0_svc_common.constprop.0+0x7c/0x148
[   25.042960]  do_el0_svc+0x38/0x50
[   25.043022]  el0_svc+0x3c/0x180
[   25.043095]  el0t_64_sync_handler+0xa0/0xe8
[   25.043172]  el0t_64_sync+0x1b0/0x1b8
[   25.043234] 
[   25.043249] The buggy address belongs to a 2-page vmalloc region starting at 0xf2ff80008012b000 allocated at bpf_check+0xfc/0x1910
[   25.043323] The buggy address belongs to the physical page:
[   25.043344] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x800fb38
[   25.043386] flags: 0x25200000000000(node=0|zone=2|kasantag=0x52)
[   25.043453] raw: 0025200000000000 0000000000000000 dead000000000122 0000000000000000
[   25.043505] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   25.043546] raw: 00000000000fffff 0000000000000000
[   25.043574] page dumped because: kasan: bad access detected
[   25.043596] 
[   25.043610] Memory state around the buggy address:
[   25.043637]  ffff80008012c600: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
[   25.043677]  ffff80008012c700: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
[   25.043717] >ffff80008012c800: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 65 65 65 65
[   25.043747]                                                        ^
[   25.043778]  ffff80008012c900: 65 65 fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   25.043818]  ffff80008012ca00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   25.043848] ==================================================================
[   25.043936] Disabling lock debugging due to kernel taint
[   25.043990] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
[   25.044022] Mem abort info:
[   25.044037]   ESR = 0x0000000096000004
[   25.044060]   EC = 0x25: DABT (current EL), IL = 32 bits
[   25.044091]   SET = 0, FnV = 0
[   25.044115]   EA = 0, S1PTW = 0
[   25.044138]   FSC = 0x04: level 0 translation fault
[   25.044164] Data abort info:
[   25.044179]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[   25.044204]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   25.044236]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   25.044312] user pgtable: 4k pages, 48-bit VAs, pgdp=0000008802e8e000
[   25.044351] [0000000000000020] pgd=0000000000000000, p4d=0000000000000000
[   25.044404] Internal error: Oops: 0000000096000004 [#1]  SMP
[   25.388029] Modules linked in: aes_neon_bs
[   25.392584] CPU: 11 UID: 0 PID: 1 Comm: systemd Tainted: G    B               6.18.0-rc7-next-20251125 #1 PREEMPT(voluntary) 
[   25.404713] Tainted: [B]=BAD_PAGE
[   25.408251] Hardware name: CRAY CS500/CMUD        , BIOS 1.4.0 Jun 17 2020
[   25.415524] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   25.423112] pc : do_misc_fixups+0x18a0/0x3438
[   25.427722] lr : do_misc_fixups+0x18a0/0x3438
[   25.432523] sp : ffff800080397800
[   25.436062] x29: ffff8000803978d0 x28: 0000000000000011 x27: a3ff007f8fb6e720
[   25.443859] x26: 0000000000000001 x25: 62ff8000801290ec x24: 0000000000000000
[   25.451453] x23: 0000000000000000 x22: f2ff80008012b5d8 x21: 62ff800080129000
[   25.459252] x20: a3ff007f8fb68000 x19: 62ff8000801290e8 x18: 0000000000006728
[   25.466877] x17: 3d3d3d3d3d3d3d3d x16: 3d3d3d3d3d3d3d3d x15: 3d3d3d3d3d3d3d3d
[   25.474673] x14: 3d3d3d3d3d3d3d3d x13: 0000000000000001 x12: 0000000000000001
[   25.482464] x11: 65756420676e6967 x10: 6775626564206b63 x9 : 0000000000000007
[   25.490064] x8 : ffff8000803977e0 x7 : 0000000000000000 x6 : 0000000000000020
[   25.497863] x5 : 0000000000000001 x4 : 74ff009780184580 x3 : 0000000000000020
[   25.505456] x2 : 0000000000000001 x1 : ffffcedca27f6768 x0 : 0000000000000001
[   25.513250] Call trace:
[   25.515928]  do_misc_fixups+0x18a0/0x3438 (P)
[   25.520534]  bpf_check+0x1468/0x1910
[   25.524558]  bpf_prog_load+0x958/0x1260
[   25.528680]  __sys_bpf+0x954/0xdd8
[   25.532331]  __arm64_sys_bpf+0x50/0xa0
[   25.536336]  invoke_syscall.constprop.0+0x88/0x148
[   25.541572]  el0_svc_common.constprop.0+0x7c/0x148
[   25.546804]  do_el0_svc+0x38/0x50
[   25.550376]  el0_svc+0x3c/0x180
[   25.553774]  el0t_64_sync_handler+0xa0/0xe8
[   25.558441]  el0t_64_sync+0x1b0/0x1b8
[   25.562374] Code: 9409e8d8 f94002d7 910082e0 9409e8d5 (f94012f6) 
[   25.568889] ---[ end trace 0000000000000000 ]---
[   25.574608] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[   25.582674] SMP: stopping secondary CPUs
[   25.587032] Kernel Offset: 0x4edc1e800000 from 0xffff800080000000
[   25.593543] PHYS_OFFSET: 0x80000000
[   25.597250] CPU features: 0x000000,000da001,5008c401,04017203
[   25.603410] Memory Limit: none
[   25.606697] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---

View attachment "kasan.config" of type "text/plain" (338801 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ