linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
* next: arm64: boot: kernel BUG at mm/usercopy.c:102 - pc : usercopy_abort
@ 2023-02-09  8:57 Naresh Kamboju
  2023-02-09  9:58 ` Eric Dumazet
  0 siblings, 1 reply; 2+ messages in thread
From: Naresh Kamboju @ 2023-02-09  8:57 UTC (permalink / raw)
  To: open list, Linux-Next Mailing List, linux-mm, Netdev, lkft-triage
  Cc: Thomas Gleixner, Hyeonggon Yoo, Vlastimil Babka, Dave Chinner,
	Christoph Hellwig, Christian Brauner, Eric Dumazet,
	Jakub Kicinski, Andrew Morton, Arnd Bergmann, Anders Roxell

Following kernel crash noticed while booting arm64 devices and qemu-arm64 with
kselftest merge configs enabled.

Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>

crash log:
----------
usercopy: Kernel memory exposure attempt detected from SLUB object
'skbuff_small_head' (offset 130, size 12)!
..
[   24.673364] ------------[ cut here ]------------
[   24.673812] kernel BUG at mm/usercopy.c:102!
[   24.674631] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
[   24.675389] Modules linked in:
[   24.676231] CPU: 3 PID: 1 Comm: systemd Not tainted
6.2.0-rc7-next-20230209 #1
[   24.676779] Hardware name: linux,dummy-virt (DT)
[   24.677256] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[   24.677695] pc : usercopy_abort (mm/usercopy.c:102 (discriminator 24))
[   24.678470] lr : usercopy_abort (mm/usercopy.c:102 (discriminator 24))
[   24.678717] sp : ffff80000803bab0
[   24.678949] x29: ffff80000803bac0 x28: ffff0000c0838040 x27: ffff80000803bc70
[   24.679618] x26: 0000000000000000 x25: ffff0000c0fe4040 x24: ffff0000c4752000
[   24.680050] x23: 0000000000000000 x22: 0000000000000020 x21: 0000000000000000
[   24.680484] x20: ffffc94cf339ac70 x19: ffffc94cf31861b8 x18: 0000000000000000
[   24.680929] x17: 63656a626f204255 x16: 4c53206f74206465 x15: 7463657465642074
[   24.681372] x14: 706d657474612065 x13: 2129323320657a69 x12: 0000000000000001
[   24.681810] x11: ffffc94cf372ba24 x10: 65685f6c6c616d73 x9 : ffffc94cf1184028
[   24.682299] x8 : ffff80000803b7b8 x7 : ffffc94cf4207170 x6 : 0000000000000001
[   24.682742] x5 : 0000000000000001 x4 : ffffc94cf4165000 x3 : 0000000000000000
[   24.683216] x2 : 0000000000000000 x1 : ffff0000c0838040 x0 : 000000000000006a
[   24.683788] Call trace:
[   24.684019] usercopy_abort (mm/usercopy.c:102 (discriminator 24))
[   24.684346] __check_heap_object (mm/slub.c:4739)
[   24.684621] __check_object_size (mm/usercopy.c:196
mm/usercopy.c:251 mm/usercopy.c:213)
[   24.684883] netlink_sendmsg (include/linux/uio.h:177
include/linux/uio.h:184 include/linux/skbuff.h:3977
net/netlink/af_netlink.c:1927)
[   24.685161] __sys_sendto (net/socket.c:722 net/socket.c:745
net/socket.c:2142)
[   24.685397] __arm64_sys_sendto (net/socket.c:2150)
[   24.685644] invoke_syscall (arch/arm64/include/asm/current.h:19
arch/arm64/kernel/syscall.c:57)
[   24.685891] el0_svc_common.constprop.0
(arch/arm64/include/asm/daifflags.h:28
arch/arm64/kernel/syscall.c:150)
[   24.686164] do_el0_svc (arch/arm64/kernel/syscall.c:194)
[   24.686401] el0_svc (arch/arm64/include/asm/daifflags.h:28
arch/arm64/kernel/entry-common.c:133
arch/arm64/kernel/entry-common.c:142
arch/arm64/kernel/entry-common.c:638)
[   24.686602] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:656)
[   24.686862] el0t_64_sync (arch/arm64/kernel/entry.S:591)
[ 24.687307] Code: aa1303e3 9000ea60 91300000 97f49682 (d4210000)
All code
========
   0:* e3 03                jrcxz  0x5 <-- trapping instruction
   2: 13 aa 60 ea 00 90    adc    -0x6fff15a0(%rdx),%ebp
   8: 00 00                add    %al,(%rax)
   a: 30 91 82 96 f4 97    xor    %dl,-0x680b697e(%rcx)
  10: 00 00                add    %al,(%rax)
  12: 21 d4                and    %edx,%esp

Code starting with the faulting instruction
===========================================
   0: 00 00                add    %al,(%rax)
   2: 21 d4                and    %edx,%esp
[   24.688236] ---[ end trace 0000000000000000 ]---
[   24.688722] note: systemd[1] exited with irqs disabled
[   24.689588] note: systemd[1] exited with preempt_count 1
[   24.690331] Kernel panic - not syncing: Attempted to kill init!
exitcode=0x0000000b
[   24.690875] SMP: stopping secondary CPUs
[   24.691749] Kernel Offset: 0x494ce9000000 from 0xffff800008000000
[   24.692103] PHYS_OFFSET: 0x40000000
[   24.692349] CPU features: 0x000000,0068c25f,3326773f
[   24.692924] Memory Limit: none
[   24.693422] ---[ end Kernel panic - not syncing: Attempted to kill
init! exitcode=0x0000000b ]---


detailed boot logs:
https://lkft.validation.linaro.org/scheduler/job/6145112#L778
https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230209/testrun/14667540/suite/log-parser-test/tests/
https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230209/testrun/14667540/suite/log-parser-test/test/check-kernel-bug/log


metadata:
  git_ref: master
  git_repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next
  git_sha: 20f513df926fac0594a3b65f79d856bd64251861
  git_describe: next-20230209
  kernel_version: 6.2.0-rc7
  kernel-config:
https://storage.tuxsuite.com/public/linaro/lkft/builds/2LUB6A6xC34mySgwQ3vPa6kHKJS/config
  artifact-location:
https://storage.tuxsuite.com/public/linaro/lkft/builds/2LUB6A6xC34mySgwQ3vPa6kHKJS/
  toolchain: gcc-11
  build_name: gcc-11-lkftconfig-kselftest


--
Linaro LKFT
https://lkft.linaro.org


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: next: arm64: boot: kernel BUG at mm/usercopy.c:102 - pc : usercopy_abort
  2023-02-09  8:57 next: arm64: boot: kernel BUG at mm/usercopy.c:102 - pc : usercopy_abort Naresh Kamboju
@ 2023-02-09  9:58 ` Eric Dumazet
  0 siblings, 0 replies; 2+ messages in thread
From: Eric Dumazet @ 2023-02-09  9:58 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linux-Next Mailing List, linux-mm, Netdev,
	lkft-triage, Thomas Gleixner, Hyeonggon Yoo, Vlastimil Babka,
	Dave Chinner, Christoph Hellwig, Christian Brauner,
	Jakub Kicinski, Andrew Morton, Arnd Bergmann, Anders Roxell

On Thu, Feb 9, 2023 at 9:57 AM Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>
> Following kernel crash noticed while booting arm64 devices and qemu-arm64 with
> kselftest merge configs enabled.
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>
> crash log:
> ----------
> usercopy: Kernel memory exposure attempt detected from SLUB object
> 'skbuff_small_head' (offset 130, size 12)!
> ..
> [   24.673364] ------------[ cut here ]------------
> [   24.673812] kernel BUG at mm/usercopy.c:102!
> [   24.674631] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
> [   24.675389] Modules linked in:
> [   24.676231] CPU: 3 PID: 1 Comm: systemd Not tainted
> 6.2.0-rc7-next-20230209 #1
> [   24.676779] Hardware name: linux,dummy-virt (DT)
> [   24.677256] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
> [   24.677695] pc : usercopy_abort (mm/usercopy.c:102 (discriminator 24))
> [   24.678470] lr : usercopy_abort (mm/usercopy.c:102 (discriminator 24))
> [   24.678717] sp : ffff80000803bab0
> [   24.678949] x29: ffff80000803bac0 x28: ffff0000c0838040 x27: ffff80000803bc70
> [   24.679618] x26: 0000000000000000 x25: ffff0000c0fe4040 x24: ffff0000c4752000
> [   24.680050] x23: 0000000000000000 x22: 0000000000000020 x21: 0000000000000000
> [   24.680484] x20: ffffc94cf339ac70 x19: ffffc94cf31861b8 x18: 0000000000000000
> [   24.680929] x17: 63656a626f204255 x16: 4c53206f74206465 x15: 7463657465642074
> [   24.681372] x14: 706d657474612065 x13: 2129323320657a69 x12: 0000000000000001
> [   24.681810] x11: ffffc94cf372ba24 x10: 65685f6c6c616d73 x9 : ffffc94cf1184028
> [   24.682299] x8 : ffff80000803b7b8 x7 : ffffc94cf4207170 x6 : 0000000000000001
> [   24.682742] x5 : 0000000000000001 x4 : ffffc94cf4165000 x3 : 0000000000000000
> [   24.683216] x2 : 0000000000000000 x1 : ffff0000c0838040 x0 : 000000000000006a
> [   24.683788] Call trace:
> [   24.684019] usercopy_abort (mm/usercopy.c:102 (discriminator 24))
> [   24.684346] __check_heap_object (mm/slub.c:4739)
> [   24.684621] __check_object_size (mm/usercopy.c:196
> mm/usercopy.c:251 mm/usercopy.c:213)
> [   24.684883] netlink_sendmsg (include/linux/uio.h:177
> include/linux/uio.h:184 include/linux/skbuff.h:3977
> net/netlink/af_netlink.c:1927)
> [   24.685161] __sys_sendto (net/socket.c:722 net/socket.c:745
> net/socket.c:2142)
> [   24.685397] __arm64_sys_sendto (net/socket.c:2150)
> [   24.685644] invoke_syscall (arch/arm64/include/asm/current.h:19
> arch/arm64/kernel/syscall.c:57)
> [   24.685891] el0_svc_common.constprop.0
> (arch/arm64/include/asm/daifflags.h:28
> arch/arm64/kernel/syscall.c:150)
> [   24.686164] do_el0_svc (arch/arm64/kernel/syscall.c:194)
> [   24.686401] el0_svc (arch/arm64/include/asm/daifflags.h:28
> arch/arm64/kernel/entry-common.c:133
> arch/arm64/kernel/entry-common.c:142
> arch/arm64/kernel/entry-common.c:638)
> [   24.686602] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:656)
> [   24.686862] el0t_64_sync (arch/arm64/kernel/entry.S:591)
> [ 24.687307] Code: aa1303e3 9000ea60 91300000 97f49682 (d4210000)
> All code
> ========
>    0:* e3 03                jrcxz  0x5 <-- trapping instruction
>    2: 13 aa 60 ea 00 90    adc    -0x6fff15a0(%rdx),%ebp
>    8: 00 00                add    %al,(%rax)
>    a: 30 91 82 96 f4 97    xor    %dl,-0x680b697e(%rcx)
>   10: 00 00                add    %al,(%rax)
>   12: 21 d4                and    %edx,%esp
>
> Code starting with the faulting instruction
> ===========================================
>    0: 00 00                add    %al,(%rax)
>    2: 21 d4                and    %edx,%esp
> [   24.688236] ---[ end trace 0000000000000000 ]---
> [   24.688722] note: systemd[1] exited with irqs disabled
> [   24.689588] note: systemd[1] exited with preempt_count 1
> [   24.690331] Kernel panic - not syncing: Attempted to kill init!
> exitcode=0x0000000b
> [   24.690875] SMP: stopping secondary CPUs
> [   24.691749] Kernel Offset: 0x494ce9000000 from 0xffff800008000000
> [   24.692103] PHYS_OFFSET: 0x40000000
> [   24.692349] CPU features: 0x000000,0068c25f,3326773f
> [   24.692924] Memory Limit: none
> [   24.693422] ---[ end Kernel panic - not syncing: Attempted to kill
> init! exitcode=0x0000000b ]---
>
>
> detailed boot logs:
> https://lkft.validation.linaro.org/scheduler/job/6145112#L778
> https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230209/testrun/14667540/suite/log-parser-test/tests/
> https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230209/testrun/14667540/suite/log-parser-test/test/check-kernel-bug/log
>
>
> metadata:
>   git_ref: master
>   git_repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next
>   git_sha: 20f513df926fac0594a3b65f79d856bd64251861
>   git_describe: next-20230209
>   kernel_version: 6.2.0-rc7
>   kernel-config:
> https://storage.tuxsuite.com/public/linaro/lkft/builds/2LUB6A6xC34mySgwQ3vPa6kHKJS/config
>   artifact-location:
> https://storage.tuxsuite.com/public/linaro/lkft/builds/2LUB6A6xC34mySgwQ3vPa6kHKJS/
>   toolchain: gcc-11
>   build_name: gcc-11-lkftconfig-kselftest
>
>
> --
> Linaro LKFT
> https://lkft.linaro.org

This should be fixed when this patch is accepted/merged.

https://patchwork.kernel.org/project/netdevbpf/patch/20230208142508.3278406-1-edumazet@google.com/

Thanks.


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-02-09  9:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-09  8:57 next: arm64: boot: kernel BUG at mm/usercopy.c:102 - pc : usercopy_abort Naresh Kamboju
2023-02-09  9:58 ` Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).