Meet compiled kernel binaray abnormal issue while enabling generic kasan in kernel 6.12 with some default KBUILD_RUSTFLAGS on
刘海燕 (Haiyan Liu)
haiyan.liu at unisoc.com
Thu Jul 17 04:25:00 PDT 2025
> -----邮件原件-----
> 发件人: Mark Rutland <mark.rutland at arm.com>
> 发送时间: 2025年7月17日 18:39
> 收件人: 刘海燕 (Haiyan Liu) <haiyan.liu at unisoc.com>
> 抄送: linux-kernel at vger.kernel.org; linux-arm-kernel at lists.infradead.org; rust-for-linux at vger.kernel.org; 代子为 (Ziwei Dai)
> <Ziwei.Dai at unisoc.com>; 周平 (Ping Zhou/9032) <Ping.Zhou1 at unisoc.com>; 杨丽娜 (Lina Yang) <lina.yang at unisoc.com>; 王双
> (Shuang Wang) <shuang.wang at unisoc.com>; Alice Ryhl <aliceryhl at google.com>; Miguel Ojeda <ojeda at kernel.org>; Matthew Maurer
> <mmaurer at google.com>; Ard Biesheuvel <ardb at kernel.org>; Sami Tolvanen <samitolvanen at google.com>
> 主题: Re: Meet compiled kernel binaray abnormal issue while enabling generic kasan in kernel 6.12 with some default KBUILD_RUSTFLAGS
> on
>
>
> 注意: 这封邮件来自于外部。除非你确定邮件内容安全,否则不要点击任何链接和附件。
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
>
>
> Hi,
>
> From a quick scan, I think this might have something to do with UNWIND_PATCH_PAC_INTO_SCS, notes below.
>
> On Mon, Jul 14, 2025 at 03:12:33AM +0000, 刘海燕 (Haiyan Liu) wrote:
> > I am enabling generic kasan feature in kernel 6.12, and met kernel boot crash.
> > Unable to handle kernel NULL pointer dereference at virtual address
> > 0000000000000008 pc : do_basic_setup+0x6c/0xac lr :
> > do_basic_setup+0x88/0xac sp : ffffffc080087e40
>
> Can you say which hardware this is on? Given this is a NULL-dereference, this looks ike a dodgy pointer (or memory corruption) rather than
> a PAC failure.
>
> > After debug, I find some error in do_ctors().
> > Normally, the complier should insert the paciasp instruction at the function entry so that its corresponding autiasp instruction is used to
> validate the return address when the function returns.
> > NSX:FFFFFFC0800A840C|F800865E asan.module_ctor: str x30,[x18],#0x8;x30,[x18],#8
> > NSX:FFFFFFC0800A8410|A9BF7BFD stp x29,x30,[sp,#-0x10]! ; x29,x30,[sp,#-16]!
> > NSX:FFFFFFC0800A8414|910003FD mov x29,sp
> > NSX:FFFFFFC0800A8418|B0023420 adrp x0,0xFFFFFFC08472D000
> > NSX:FFFFFFC0800A841C|91390000 add x0,x0,#0xE40 ; x0,x0,#3648
> > NSX:FFFFFFC0800A8420|528000A1 mov w1,#0x5 ; w1,#5
> > NSX:FFFFFFC0800A8424|9422AF50 bl 0xFFFFFFC080954164 ; __asan_register_globals
> > NSX:FFFFFFC0800A8428|A8C17BFD ldp x29,x30,[sp],#0x10 ; x29,x30,[sp],#16
> > NSX:FFFFFFC0800A842C|F85F8E5E ldr x30,[x18,#-0x8]! ; x30,[x18,#-8]!
> > NSX:FFFFFFC0800A8430|D65F03C0 ret
>
> Here you evidently have shadow call stack enabled...
>
> > NSX:FFFFFFC0800A8478|D503233F asan.module_ctor: paciasp
> > NSX:FFFFFFC0800A847C|A9BF7BFD stp x29,x30,[sp,#-0x10]! ; x29,x30,[sp,#-16]!
> > NSX:FFFFFFC0800A8480|910003FD mov x29,sp
> > NSX:FFFFFFC0800A8484|B0023420 adrp x0,0xFFFFFFC08472D000
> > NSX:FFFFFFC0800A8488|913E0000 add x0,x0,#0xF80 ; x0,x0,#3968
> > NSX:FFFFFFC0800A848C|52800021 mov w1,#0x1 ; w1,#1
> > NSX:FFFFFFC0800A8490|9422AF35 bl 0xFFFFFFC080954164 ; __asan_register_globals
> > NSX:FFFFFFC0800A8494|A8C17BFD ldp x29,x30,[sp],#0x10 ; x29,x30,[sp],#16
> > NSX:FFFFFFC0800A8498|D50323BF autiasp
> > NSX:FFFFFFC0800A849C|D65F03C0 ret
>
> ... but here you evidently don't, and have PAC instead.
>
> Are these from the same kernel Image?
Yes, they are from the same kernel image but not the same asan.module_ctor function. The GlobalVariable are different.
> Are these decoded from the static kernel binary, or are these dumps from memory once a kernel has booted (or is in the process of
> booting)?
These are dumped from memory during the kernel booted by trace32.
> > But actually, in two asan.module_ctor functions, there is only autiasp instruction inserted before return, for validation of return address,
> while paciasp instruction is missing before.
> > NSX:FFFFFFC0800A72D8|F800865E asan.module_ctor: str x30,[x18],#0x8 ; x30,[x18],#8
> > NSX:FFFFFFC0800A72DC|F81F0FFE str x30,[sp,#-0x10]! ; x30,[sp,#-16]!
> > NSX:FFFFFFC0800A72E0|B00233C0 adrp x0,0xFFFFFFC084720000
> > NSX:FFFFFFC0800A72E4|91350000 add x0,x0,#0xD40 ; x0,x0,#3392
> > NSX:FFFFFFC0800A72E8|52803D61 mov w1,#0x1EB ; w1,#491
> > NSX:FFFFFFC0800A72EC|9422B39E bl 0xFFFFFFC080954164 ; __asan_register_globals
> > NSX:FFFFFFC0800A72F0|F84107FE ldr x30,[sp],#0x10 ; x30,[sp],#16
> > NSX:FFFFFFC0800A72F4|D50323BF autiasp
> > NSX:FFFFFFC0800A72F8|D65F03C0 ret
>
> Thas has a mixture of SCS and PAC; there's a shadow call stack prologue but a PAC epilogue:
>
> str x30, [x18], #8 // SCS
> ...
> autiasp // PAC
Yes, this is my issue and I wanted to resolve.
> ... so I'll hazard a guess that these are dumps from memory, and you have UNWIND_PATCH_PAC_INTO_SCS selected. Assuming that is the
> case, either this dump has been made mid-patching, or the patching has gone wrong somehow and left the prologues/epilogues in an
> inconsistent state (and the NULL dereference could be a secondary effect of that).
>
> Ard, does that sound plausible to you?
>
> I can't see why that would depend on KBUILD_RUSTFLAGS, but maybe the DWARF generated by rustc has confused the patching code
> somehow, or the linker has aggregated that in a suprising way.
> Mark.
Yes, Thank you. What can cause this issue? Can you give some directions so that we can gradually investigate.
>
> > NSX:FFFFFFC0800A7390|F800865E asan.module_ctor: str x30,[x18],#0x8 ; x30,[x18],#8
> > NSX:FFFFFFC0800A7394|F81F0FFE str x30,[sp,#-0x10]! ; x30,[sp,#-16]!
> > NSX:FFFFFFC0800A7398|B0023400 adrp x0,0xFFFFFFC084728000
> > NSX:FFFFFFC0800A739C|91210000 add x0,x0,#0x840 ; x0,x0,#2112
> > NSX:FFFFFFC0800A73A0|528006E1 mov w1,#0x37 ; w1,#55
> > NSX:FFFFFFC0800A73A4|9422B370 bl 0xFFFFFFC080954164 ; __asan_register_globals
> > NSX:FFFFFFC0800A73A8|F84107FE ldr x30,[sp],#0x10 ; x30,[sp],#16
> > NSX:FFFFFFC0800A73AC|D50323BF autiasp
> > NSX:FFFFFFC0800A73B0|D65F03C0 ret
> >
> > I compare kernel 6.6 and kernel 6.12 ARM Makefile, and find the difference.
> > Kernel6.6 Makefile
> > 66 ifeq ($(CONFIG_ARM64_BTI_KERNEL),y)
> > 67 KBUILD_CFLAGS += -mbranch-protection=pac-ret+bti
> > 68 else ifeq ($(CONFIG_ARM64_PTR_AUTH_KERNEL),y)
> > 69 ifeq ($(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET),y)
> > 70 KBUILD_CFLAGS += -mbranch-protection=pac-ret
> > 71 else
> > 72 KBUILD_CFLAGS += -msign-return-address=non-leaf
> > 73 endif
> > 74 else
> > 75 KBUILD_CFLAGS += $(call cc-option,-mbranch-protection=none)
> > 76 endif
> >
> > Kernel6.12 Makefile
> > 81 ifeq ($(CONFIG_ARM64_BTI_KERNEL),y)
> > 82 KBUILD_CFLAGS += -mbranch-protection=pac-ret+bti
> > 83 KBUILD_RUSTFLAGS += -Zbranch-protection=bti,pac-ret
> > 84 else ifeq ($(CONFIG_ARM64_PTR_AUTH_KERNEL),y)
> > 85 KBUILD_RUSTFLAGS += -Zbranch-protection=pac-ret
> > 86 ifeq ($(CONFIG_CC_HAS_BRANCH_PROT_PAC_RET),y)
> > 87 KBUILD_CFLAGS += -mbranch-protection=pac-ret
> > 88 else
> > 89 KBUILD_CFLAGS += -msign-return-address=non-leaf
> > 90 endif
> > 91 else
> > 92 KBUILD_CFLAGS += $(call cc-option,-mbranch-protection=none)
> > 93 endif
> >
> > After I delete the rust build flags, the asan.module_ctor binary is right and kasan feature works fine.Could you help check why
> KBUILD_RUSTFLAGS impacts kernel complication with kasan feature enabled and how can this issue fixed?
> >
> > I use the build.config.constants:
> > BRANCH=android16-6.12
> > KMI_GENERATION=4
> > CLANG_VERSION=r536225
> > RUSTC_VERSION=1.82.0
> > AARCH64_NDK_TRIPLE=aarch64-linux-android31
> > X86_64_NDK_TRIPLE=x86_64-linux-android31
> > ARM_NDK_TRIPLE=arm-linux-androideabi31
> >
> > compile configuration is :
> > CONFIG_GCC_VERSION=0
> > CONFIG_CC_IS_CLANG=y
> > CONFIG_CLANG_VERSION=190001
> > CONFIG_AS_IS_LLVM=y
> > CONFIG_AS_VERSION=190001
> > CONFIG_LD_VERSION=0
> > CONFIG_LD_IS_LLD=y
> > CONFIG_LLD_VERSION=190001
> > CONFIG_RUSTC_VERSION=108200
> > CONFIG_RUST_IS_AVAILABLE=y
> > CONFIG_RUSTC_LLVM_VERSION=190001
> > CONFIG_CC_CAN_LINK=y
> > CONFIG_CC_CAN_LINK_STATIC=y
> > CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
> > CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
> > CONFIG_TOOLS_SUPPORT_RELR=y
> > CONFIG_CC_HAS_ASM_INLINE=y
> > CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
> > CONFIG_PAHOLE_VERSION=125
> > CONFIG_IRQ_WORK=y
> > CONFIG_BUILDTIME_TABLE_SORT=y
> > CONFIG_THREAD_INFO_IN_TASK=y
> >
> > Thank you
More information about the linux-arm-kernel
mailing list