BUG: KASAN: global-out-of-bounds in is_midr_in_range_list+0x29c/0x2e0

Zorro Lang zlang at redhat.com
Sun Apr 27 07:15:40 PDT 2025 

Hi,

I'm from fstests@ maillist, my latest fstests [2] regression test on
mainline linux v6.15-rc3+ (HEAD=f1a3944c860b0615d0513110d8cf62bb94adbb41)
sometimes hit below KASAN bug [1] on aarch64 by running generic/650 [3].
So report this issue to arm64 list to get review :)

Thanks,
Zorro


[1]
[16982.135841] run fstests generic/650 at 2025-04-26 15:57:03
[16983.655106] evm: overlay not supported
[16983.838316] psci: CPU114 killed (polled 0 ms)
[16984.610264] psci: CPU32 killed (polled 0 ms)
[16985.855711] psci: CPU19 killed (polled 0 ms)
[16986.578909] psci: CPU48 killed (polled 0 ms)
[16987.329376] psci: CPU1 killed (polled 0 ms)
[16988.071610] psci: CPU0 killed (polled 0 ms)
[16989.675527] XFS (sda5): Unmounting Filesystem 73595b5c-b0eb-4f47-9d60-41cba8eb626c
[16989.894868] XFS (sda5): Mounting V5 Filesystem 73595b5c-b0eb-4f47-9d60-41cba8eb626c
[16989.935608] XFS (sda5): Ending clean mount
[16990.913789] psci: CPU98 killed (polled 0 ms)
[16991.624018] psci: CPU94 killed (polled 0 ms)
[16992.334849] ==================================================================
[16992.334865] BUG: KASAN: global-out-of-bounds in is_midr_in_range_list+0x29c/0x2e0
[16992.334888] Read of size 4 at addr ffffd4ca56f8fb18 by task swapper/94/0

[16992.334905] CPU: 94 UID: 0 PID: 0 Comm: swapper/94 Kdump: loaded Tainted: G        W           6.15.0-rc3+ #1 PREEMPT(voluntary) 
[16992.334922] Tainted: [W]=WARN
[16992.334926] Hardware name: GIGABYTE R152-P31-00/MP32-AR1-00, BIOS F31n (SCP: 2.10.20220810) 09/30/2022
[16992.334932] Call trace:
[16992.334937]  show_stack+0x34/0x98 (C)
[16992.334952]  dump_stack_lvl+0xa8/0xe8
[16992.334965]  print_address_description.constprop.0+0x90/0x370
[16992.334983]  print_report+0x108/0x1f8
[16992.334996]  kasan_report+0x8c/0x1b0
[16992.335007]  __asan_report_load4_noabort+0x20/0x30
[16992.335019]  is_midr_in_range_list+0x29c/0x2e0
[16992.335034]  spectre_bhb_loop_affected+0x28/0xa0
[16992.335047]  is_spectre_bhb_affected+0x128/0x160
[16992.335060]  verify_local_cpu_caps+0x140/0x358
[16992.335070]  verify_local_cpu_capabilities+0x20/0x2a8
[16992.335081]  check_local_cpu_capabilities+0x28/0x58
[16992.335092]  secondary_start_kernel+0x80/0x180
[16992.335104]  __secondary_switched+0xc0/0xc8

[16992.335120] The buggy address belongs to the variable:
[16992.335124]  spectre_bhb_k132_list.10+0x18/0x40

[16992.335339] The buggy address belongs to the virtual mapping at
                [ffffd4ca56f70000, ffffd4ca57df0000) created by:
                paging_init+0x3b4/0x480

[16992.335360] The buggy address belongs to the physical page:
[16992.335366] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8015ad8f
[16992.335376] flags: 0x2fffff00002000(reserved|node=0|zone=2|lastcpupid=0xfffff)
[16992.335392] raw: 002fffff00002000 fffffe1fc36b63c8 fffffe1fc36b63c8 0000000000000000
[16992.335400] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[16992.335405] page dumped because: kasan: bad access detected

[16992.335412] Memory state around the buggy address:
[16992.335417]  ffffd4ca56f8fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9
[16992.335424]  ffffd4ca56f8fa80: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
[16992.335430] >ffffd4ca56f8fb00: 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
[16992.335435]                             ^
[16992.335440]  ffffd4ca56f8fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9
[16992.335446]  ffffd4ca56f8fc00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04 f9
[16992.335451] ==================================================================
[16992.335456] Disabling lock debugging due to kernel taint
[16992.335464] CPU features: kernel page table isolation forced ON by kpti command line option
[16992.335484] Detected PIPT I-cache on CPU94
[16992.335628] GICv3: CPU94: found redistributor 270000 region 0:0x0000100100b00000
[16992.335723] CPU94: Booted secondary processor 0x0000270000 [0x413fd0c1]
[16993.795562] psci: CPU80 killed (polled 0 ms)
[16995.515686] psci: CPU24 killed (polled 0 ms)
[16996.794949] psci: CPU9 killed (polled 0 ms)
[16997.494378] psci: CPU90 killed (polled 0 ms)


[2]
https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/

[3]
https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/tree/tests/generic/650

More information about the linux-arm-kernel mailing list