All of lore.kernel.org
 help / color / mirror / Atom feed
From: Michael Ellerman <mpe@ellerman.id.au>
To: Breno Leitao <leitao@debian.org>,
	linuxppc-dev@lists.ozlabs.org, Kees Cook  <keescook@chromium.org>,
	Laura Abbott  <labbott@redhat.com>
Cc: gromero@br.ibm.com,
	Anshuman Khandual  <khandual@linux.vnet.ibm.com>,
	Balbir Singh  <bsingharora@gmail.com>
Subject: Re: kernel BUG at mm/usercopy.c:72!
Date: Tue, 16 May 2017 21:09:57 +1000	[thread overview]
Message-ID: <878tlxoy62.fsf@concordia.ellerman.id.au> (raw)
In-Reply-To: <20170515191949.GA13641@gmail.com>

[Cc'ing the relevant folks]

Breno Leitao <leitao@debian.org> writes:
> Hello,
>
> Kernel 4.12-rc1 is showing a bug when I try it on a POWER8 virtual
> machine. Justing SSHing into the machine causes this issue.
>
> 	[23.138124] usercopy: kernel memory overwrite attempt detected to d000000003d80030 (mm_struct) (560 bytes)
> 	[23.138195] ------------[ cut here ]------------
> 	[23.138229] kernel BUG at mm/usercopy.c:72!
> 	[23.138252] Oops: Exception in kernel mode, sig: 5 [#3]
> 	[23.138280] SMP NR_CPUS=2048 
> 	[23.138280] NUMA 
> 	[23.138302] pSeries
> 	[23.138330] Modules linked in:
> 	[23.138354] CPU: 4 PID: 2215 Comm: sshd Tainted: G      D         4.12.0-rc1+ #9
> 	[23.138395] task: c0000001e272dc00 task.stack: c0000001e27b0000
> 	[23.138430] NIP: c000000000342358 LR: c000000000342354 CTR: c0000000006eb060
> 	[23.138472] REGS: c0000001e27b3a00 TRAP: 0700   Tainted: G      D          (4.12.0-rc1+)
> 	[23.138513] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE>
> 	[23.138517]   CR: 28004222  XER: 20000000
> 	[23.138565] CFAR: c000000000b34500 SOFTE: 1 
> 	[23.138565] GPR00: c000000000342354 c0000001e27b3c80 c00000000142a000 000000000000005e 
> 	[23.138565] GPR04: c0000001ffe0ade8 c0000001ffe21bf8 2920283536302062 79746573290d0a74 
> 	[23.138565] GPR08: 0000000000000007 c000000000f61864 00000001feeb0000 3064206f74206465 
> 	[23.138565] GPR12: 0000000000004400 c00000000fb42600 0000000000000015 00000000545bdc40 
> 	[23.138565] GPR16: 00000000545c49c8 000001000b4b8890 00007ffff78c26f0 00000000545cf000 
> 	[23.138565] GPR20: 00000000546109c8 000000000000c7e8 0000000054610010 00007ffff78c22e8 
> 	[23.138565] GPR24: 00000000545c8c40 c0000000ff6bcef0 c0000000001e5220 0000000000000230 
> 	[23.138565] GPR28: d000000003d80260 0000000000000000 0000000000000230 d000000003d80030 
> 	[23.138920] NIP [c000000000342358] __check_object_size+0x88/0x2d0
> 	[23.138956] LR [c000000000342354] __check_object_size+0x84/0x2d0
> 	[23.138990] Call Trace:
> 	[23.139006] [c0000001e27b3c80] [c000000000342354] __check_object_size+0x84/0x2d0 (unreliable)
> 	[23.139056] [c0000001e27b3d00] [c0000000009f5ba8] bpf_prog_create_from_user+0xa8/0x1a0
> 	[23.139099] [c0000001e27b3d60] [c0000000001e5d30] do_seccomp+0x120/0x720
> 	[23.139136] [c0000001e27b3dd0] [c0000000000fd53c] SyS_prctl+0x2ac/0x6b0
> 	[23.139172] [c0000001e27b3e30] [c00000000000af84] system_call+0x38/0xe0
> 	[23.139218] Instruction dump:
> 	[23.139240] 60000000 60420000 3c82ff94 3ca2ff9d 38841788 38a5e868 3c62ff95 7fc8f378 
> 	[23.139283] 7fe6fb78 386310c0 487f2169 60000000 <0fe00000> 60420000 2ba30010 409d018c 
> 	[23.139328] ---[ end trace 1a1dc952a4b7c4af ]---
> 	
> I found that kernel 4.11 does not have this issue. I also found that, if
> I revert 517e1fbeb65f5eade8d14f46ac365db6c75aea9b, I do not see the
> problem.
>
> On the other side, if I cherry-pick commit
> 517e1fbeb65f5eade8d14f46ac365db6c75aea9b into 4.11, I start seeing the
> same issue also on 4.11.

Yeah it looks like powerpc also suffers from the same bug that arm64
used to, ie. virt_addr_valid() will return true for some vmalloc
addresses.

virt_addr_valid() is used pretty widely, I'm not sure if we can just fix
it without other fallout. I'll dig a bit more tomorrow if no one beats
me to it.

Kees, depending on how that turns out we may ask you to revert
517e1fbeb65f ("mm/usercopy: Drop extra is_vmalloc_or_module() check").

cheers

  parent reply	other threads:[~2017-05-16 11:09 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-15 19:19 kernel BUG at mm/usercopy.c:72! Breno Leitao
2017-05-16  4:00 ` Anshuman Khandual
2017-05-16  4:44   ` Balbir Singh
2017-05-16  5:04     ` Anshuman Khandual
2017-05-16 11:02 ` Michael Ellerman
2017-05-16 16:15   ` Breno Leitao
2017-05-16 11:09 ` Michael Ellerman [this message]
2017-05-16 14:32   ` Kees Cook
2017-05-16 14:35     ` Laura Abbott
2017-05-18  5:09       ` Michael Ellerman
2017-05-17 10:05     ` Balbir Singh
2017-05-18 10:16     ` Michael Ellerman
2017-05-18 10:58       ` Balbir Singh
2017-05-18 10:17 ` Michael Ellerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878tlxoy62.fsf@concordia.ellerman.id.au \
    --to=mpe@ellerman.id.au \
    --cc=bsingharora@gmail.com \
    --cc=gromero@br.ibm.com \
    --cc=keescook@chromium.org \
    --cc=khandual@linux.vnet.ibm.com \
    --cc=labbott@redhat.com \
    --cc=leitao@debian.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.