On 05/07/2017 07:51 AM, Kees Cook wrote: > On Sun, May 7, 2017 at 2:06 AM, kernel test robot > <fengguang.wu@xxxxxxxxx> wrote: >> Greetings, >> >> 0day kernel testing robot got the below dmesg and the first bad commit is >> >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master >> >> commit 517e1fbeb65f5eade8d14f46ac365db6c75aea9b >> Author: Laura Abbott <labbott@xxxxxxxxxx> >> AuthorDate: Tue Apr 4 14:09:00 2017 -0700 >> Commit: Kees Cook <keescook@xxxxxxxxxxxx> >> CommitDate: Wed Apr 5 12:30:18 2017 -0700 >> >> mm/usercopy: Drop extra is_vmalloc_or_module() check >> >> Previously virt_addr_valid() was insufficient to validate if virt_to_page() >> could be called on an address on arm64. This has since been fixed up so >> there is no need for the extra check. Drop it. >> >> Signed-off-by: Laura Abbott <labbott@xxxxxxxxxx> >> Acked-by: Mark Rutland <mark.rutland@xxxxxxx> >> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > > This appears to be from CONFIG_DEBUG_VIRTUAL on __phys_addr, used by > hardened usercopy, probably during virt_addr_valid(). I'll take a > closer look on Monday... > > -Kees > So this looks like a strange edge case/bug on x86 32-bit. virt_addr_valid is returning true on vmalloc addresses because __vmalloc_start_set is never getting set because the below configuration uses CONFIG_NEED_MULTIPLE_NODES=y and that variable only gets set with CONFIG_NEED_MULTIPLE_NODES=n currently. If I set it in arch/x86/mm/numa_32.c, it seems to work: Thanks, Laura diff --git a/arch/x86/mm/numa_32.c b/arch/x86/mm/numa_32.c index 6b7ce62..aca6295 100644 --- a/arch/x86/mm/numa_32.c +++ b/arch/x86/mm/numa_32.c @@ -100,5 +100,6 @@ void __init initmem_init(void) printk(KERN_DEBUG "High memory starts at vaddr %08lx\n", (ulong) pfn_to_kaddr(highstart_pfn)); + __vmalloc_start_set = true; setup_bootmem_allocator(); } >> >> 96dc4f9fb6 usercopy: Move enum for arch_within_stack_frames() >> 517e1fbeb6 mm/usercopy: Drop extra is_vmalloc_or_module() check >> 13e0988140 docs: complete bumping minimal GNU Make version to 3.81 >> 9e597e815f Add linux-next specific files for 20170505 >> +------------------------------------------------------+------------+------------+------------+---------------+ >> | | 96dc4f9fb6 | 517e1fbeb6 | 13e0988140 | next-20170505 | >> +------------------------------------------------------+------------+------------+------------+---------------+ >> | boot_successes | 35 | 3 | 6 | 0 | >> | boot_failures | 0 | 12 | 13 | 18 | >> | kernel_BUG_at_arch/x86/mm/physaddr.c | 0 | 12 | 13 | 13 | >> | invalid_opcode:#[##] | 0 | 12 | 13 | 13 | >> | EIP:__phys_addr | 0 | 12 | 13 | 13 | >> | Kernel_panic-not_syncing:Fatal_exception | 0 | 12 | 13 | 13 | >> | WARNING:at_kernel/cpu.c:#lockdep_assert_hotplug_held | 0 | 0 | 0 | 18 | >> | EIP:lockdep_assert_hotplug_held | 0 | 0 | 0 | 18 | >> +------------------------------------------------------+------------+------------+------------+---------------+ >> >> [main] Setsockopt(1 22 80d3000 4) on fd 47 [1:5:1] >> [ 18.665929] sock: process `trinity-main' is using obsolete setsockopt SO_BSDCOMPAT >> [main] Setsockopt(1 e 80d3000 90) on fd 49 [1:2:1] >> [main] Setsockopt(10e 5 80d3000 4) on fd 52 [16:3:16] >> [ 18.668412] ------------[ cut here ]------------ >> [ 18.668824] kernel BUG at arch/x86/mm/physaddr.c:78! >> [ 18.669424] invalid opcode: 0000 [#1] SMP >> [ 18.669776] CPU: 0 PID: 754 Comm: trinity-main Not tainted 4.11.0-rc2-00002-g517e1fb #1 >> [ 18.670469] task: 4ca52e80 task.stack: 4c572000 >> [ 18.670860] EIP: __phys_addr+0x120/0x130 >> [ 18.671189] EFLAGS: 00010202 CPU: 0 >> [ 18.671482] EAX: 0000ff01 EBX: 50851020 ECX: 00000000 EDX: 00000001 >> [ 18.672025] ESI: 0000ff01 EDI: 10851020 EBP: 4c573e70 ESP: 4c573e60 >> [ 18.672557] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 >> [ 18.673025] CR0: 80050033 CR2: 084da000 CR3: 0c65c4a0 CR4: 001406f0 >> [ 18.673560] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 >> [ 18.674100] DR6: fffe0ff0 DR7: 00000400 >> [ 18.674420] Call Trace: >> [ 18.674632] __check_object_size+0xff/0x42f >> [ 18.674988] ? __might_sleep+0x8e/0x130 >> [ 18.675310] __get_filter+0xaa/0x130 >> [ 18.675612] sk_attach_filter+0x15/0x90 >> [ 18.675937] sock_setsockopt+0x6b3/0x960 >> [ 18.676263] SyS_socketcall+0x773/0x810 >> [ 18.676585] ? __do_page_fault+0x36c/0x730 >> [ 18.676932] do_int80_syscall_32+0x8a/0x230 >> [ 18.677307] ? prepare_exit_to_usermode+0x38/0x60 >> [ 18.677712] entry_INT80_32+0x2f/0x2f >> [ 18.678034] EIP: 0x37688a42 >> [ 18.678278] EFLAGS: 00000202 CPU: 0 >> [ 18.678580] EAX: ffffffda EBX: 0000000e ECX: 3fc2da40 EDX: 3fc2dac0 >> [ 18.679099] ESI: 00000004 EDI: 00000035 EBP: 3753f1ac ESP: 3fc2da3c >> [ 18.679618] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b >> [ 18.680069] Code: 00 00 e0 ff 2d 00 20 00 00 39 c3 0f 83 47 ff ff ff c7 04 24 00 00 00 00 31 c9 ba 01 00 00 00 b8 98 e7 1a 42 e8 22 3e 0d 00 0f 0b <0f> 0b 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 55 89 e5 53 3e >> [ 18.681652] EIP: __phys_addr+0x120/0x130 SS:ESP: 0068:4c573e60 >> [ 18.682174] ---[ end trace bbf34582d6d63d7a ]--- >> [ 18.682636] Kernel panic - not syncing: Fatal exception >> >> # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD >> git bisect start 773f7f5cf2d18eb40343d1e4e9a49062739e0425 a351e9b9fc24e982ec2f0e76379a49826036da12 -- >> git bisect bad 39af3d3d90897d17d79bc655068cf09a717a0e68 # 12:26 B 0 4 15 0 Merge 'mellanox/queue-next' into devel-spot-201705070851 >> git bisect bad 32f465722603afc8d3d90ad9fb999095afe11205 # 12:42 B 0 11 22 0 Merge 'linux-review/David-Ahern/net-reducing-memory-footprint-of-network-devices/20170507-031536' into devel-spot-201705070851 >> git bisect bad 1cbccce1b4565d60c4d9a5bc3aaf8d63b5b9224f # 12:53 B 0 11 22 0 Merge 'linux-review/Geliang-Tang/yam-use-memdup_user/20170507-045454' into devel-spot-201705070851 >> git bisect bad 408133c058c5492c03ff9f3827ccdb65b42cb842 # 13:06 B 0 11 22 0 Merge 'linux-review/Christophe-JAILLET/firmware-Google-VPD-Fix-memory-allocation-error-handling/20170507-064549' into devel-spot-201705070851 >> git bisect bad d5f6ce59cba315fc39f8bdd594d9a6ec7633be45 # 13:14 B 0 1 12 0 Merge 'linux-review/Geert-Uytterhoeven/signal-Export-signal_wake_up_state-to-modules/20170507-082935' into devel-spot-201705070851 >> git bisect good 163f34fcdf2791ac0e609d59440a9ef90d2bf3d2 # 13:34 G 11 0 0 0 0day base guard for 'devel-spot-201705070851' >> git bisect good ddd92361062a7eb9708eb6c633346c35d0d67d2f # 13:45 G 11 0 0 0 Merge 'linux-review/Geliang-Tang/platform-x86-toshiba_acpi-use-memdup_user_nul/20170507-083752' into devel-spot-201705070851 >> git bisect bad a3719f34fdb664ffcfaec2160ef20fca7becf2ee # 13:57 B 0 11 22 0 Merge branch 'generic' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs >> git bisect good 5d15af6778b8e4ed1fd41b040283af278e7a9a72 # 14:11 G 11 0 0 0 Merge branch 'tipc-refactor-socket-receive-functions' >> git bisect good 7c8c03bfc7b9f5211d8a69eab7fee99c9fb4f449 # 14:21 G 11 0 0 0 Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip >> git bisect bad 8d65b08debc7e62b2c6032d7fe7389d895b92cbc # 14:30 B 0 11 22 0 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next >> git bisect good b68e7e952f24527de62f4768b1cead91f92f5f6e # 14:40 G 11 0 0 0 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux >> git bisect bad 5b13475a5e12c49c24422ba1bd9998521dec1d4e # 14:51 B 0 11 22 0 Merge branch 'work.iov_iter' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs >> git bisect good 0cb300623e3bb460fd9853bbde2fd1973e3bbcd8 # 15:01 G 11 0 0 0 usb: gadget.h: be consistent at kernel doc macros >> git bisect good 3a7d2fd16c57a1ef47dc2891171514231c9c7c6e # 15:21 G 11 0 0 0 pstore: Solve lockdep warning by moving inode locks >> git bisect good c58d4055c054fc6dc72f1be8bc71bd6fff209e48 # 15:35 G 11 0 0 0 Merge tag 'docs-4.12' of git://git.lwn.net/linux >> git bisect bad 6fd4e7f7744bd7859ca3cae19c4613252ebb6bff # 15:43 B 0 11 22 0 Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 >> git bisect bad 5958cc49ed2961a059d92ae55afeeaba64a783a0 # 15:51 B 0 1 12 0 Merge tag 'usercopy-v4.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux >> git bisect bad 517e1fbeb65f5eade8d14f46ac365db6c75aea9b # 16:05 B 0 11 22 0 mm/usercopy: Drop extra is_vmalloc_or_module() check >> git bisect good 96dc4f9fb64690fc34410415fd1fc609cf803f61 # 16:14 G 11 0 0 0 usercopy: Move enum for arch_within_stack_frames() >> # first bad commit: [517e1fbeb65f5eade8d14f46ac365db6c75aea9b] mm/usercopy: Drop extra is_vmalloc_or_module() check >> git bisect good 96dc4f9fb64690fc34410415fd1fc609cf803f61 # 16:17 G 31 0 0 0 usercopy: Move enum for arch_within_stack_frames() >> # extra tests with CONFIG_DEBUG_INFO_REDUCED >> git bisect bad 517e1fbeb65f5eade8d14f46ac365db6c75aea9b # 16:31 B 0 11 22 0 mm/usercopy: Drop extra is_vmalloc_or_module() check >> # extra tests on HEAD of linux-devel/devel-spot-201705070851 >> git bisect bad 773f7f5cf2d18eb40343d1e4e9a49062739e0425 # 16:32 B 0 22 37 0 0day head guard for 'devel-spot-201705070851' >> # extra tests on tree/branch linus/master >> git bisect bad 13e0988140374123bead1dd27c287354cb95108e # 16:43 B 0 11 22 0 docs: complete bumping minimal GNU Make version to 3.81 >> # extra tests with first bad commit reverted >> git bisect good 688e95d3e3571e6b1c08da62fc402f1c1c3d5542 # 16:53 G 10 0 0 0 Revert "mm/usercopy: Drop extra is_vmalloc_or_module() check" >> # extra tests on tree/branch linux-next/master >> git bisect bad 9e597e815f68867c70d1b70cb2b037b92a8ec12b # 17:06 B 0 9 27 7 Add linux-next specific files for 20170505 >> >> --- >> 0-DAY kernel test infrastructure Open Source Technology Center >> https://lists.01.org/pipermail/lkp Intel Corporation > > > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>