Re: [Bug 209919] New: kernel BUG at mm/usercopy.c:99 from stress-ng procfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Wed, 28 Oct 2020 15:49:15 +0000 bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=209919
> 
>             Bug ID: 209919
>            Summary: kernel BUG at mm/usercopy.c:99 from stress-ng procfs
>            Product: Memory Management
>            Version: 2.5
>     Kernel Version: 5.10.0-rc1
>           Hardware: All
>                 OS: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: Other
>           Assignee: akpm@xxxxxxxxxxxxxxxxxxxx
>           Reporter: jbastian@xxxxxxxxxx
>         Regression: No
> 
> The procfs stressor from the stress-ng project triggers a kernel BUG in the
> 5.10.0-rc1 kernel on multiple architectures.

Thanks.  A question from Kees, below...

> x86_64:
> 
> [root@localhost stress-ng]# ./stress-ng --procfs 0 --timeout 60
> stress-ng: info:  [3031466] dispatching hogs: 4 procfs
> [  974.088011] ICMPv6: process `stress-ng-procf' is using deprecated sysctl
> (syscall) net.ipv6.neigh.enp0s29u1u1u5.retrans_time - use
> net.ipv6.neigh.enp0s29u1u1u5.retrans_time_ms instead 
> [  984.137351] usercopy: Kernel memory exposure attempt detected from SLUB
> object 'kmalloc-128' (offset 127, size 3)! 
> [  984.148917] ------------[ cut here ]------------ 
> [  984.154089] kernel BUG at mm/usercopy.c:99! 
> [  984.158813] invalid opcode: 0000 [#1] SMP PTI 
> [  984.163771] CPU: 0 PID: 3031471 Comm: stress-ng-procf Tainted: G          I 
>      5.10.0-rc1 #1 
> [  984.173483] Hardware name: IBM IBM System X3250 M4 -[2583AC1]-/00D3729, BIOS
> -[JQE158AUS-1.05]- 07/23/2013 
> [  984.184260] RIP: 0010:usercopy_abort+0x74/0x76 
> [  984.189219] Code: 67 5c 8b 51 48 0f 45 d6 49 c7 c3 73 f7 5f 8b 4c 89 d1 57
> 48 c7 c6 68 57 5e 8b 48 c7 c7 38 f8 5f 8b 49 0f 45 f3 e8 13 71 ff ff <0f> 0b 4c
> 89 e1 49 89 d8 44 89 ea 31 f6 48 29 c1 48 c7 c7 b5 f7 5f 
> [  984.210177] RSP: 0018:ffff9c1f007b3dc0 EFLAGS: 00010286 
> [  984.216000] RAX: 0000000000000066 RBX: 0000000000000003 RCX:
> 0000000000000000 
> [  984.223965] RDX: ffff911f37c27e20 RSI: ffff911f37c19050 RDI:
> ffff911f37c19050 
> [  984.231929] RBP: ffff911e04cd1f82 R08: 0000000000000000 R09:
> 0000000000000000 
> [  984.239893] R10: ffff9c1f007b3bf8 R11: ffffffff8bd711a8 R12:
> ffff911e04cd1f7f 
> [  984.247857] R13: 0000000000000001 R14: 0000000000000003 R15:
> ffff911e009b19c0 
> [  984.255821] FS:  00007fbabb42b180(0000) GS:ffff911f37c00000(0000)
> knlGS:0000000000000000 
> [  984.264915] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
> [  984.271520] CR2: 00007fbabb7ef000 CR3: 000000014e296001 CR4:
> 00000000001706f0 
> [  984.279683] Call Trace: 
> [  984.282581]  __check_heap_object+0xe0/0x110 
> [  984.287405]  __check_object_size+0x136/0x150 
> [  984.292347]  proc_sys_call_handler+0x167/0x250 
> [  984.297565]  new_sync_read+0x108/0x180 
> [  984.302082]  vfs_read+0x174/0x1d0 
> [  984.306126]  ksys_read+0x58/0xd0 
> [  984.310022]  do_syscall_64+0x33/0x40 
> [  984.314277]  entry_SYSCALL_64_after_hwframe+0x44/0xa9 

Can we determine which /proc/sys entries these are?

> [  984.320201] RIP: 0033:0x7fbabb6099ac 
> [  984.324514] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 89 fc
> ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 31 c0 0f 05 <48> 3d 00
> f0 ff ff 77 34 44 89 c7 48 89 44 24 08 e8 bf fc ff ff 48 
> [  984.346368] RSP: 002b:00007fff47397340 EFLAGS: 00000246 ORIG_RAX:
> 0000000000000000 
> [  984.355402] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
> 00007fbabb6099ac 
> [  984.363971] RDX: 0000000000000060 RSI: 00007fff47397390 RDI:
> 0000000000000006 
> [  984.372583] RBP: 0000000000000006 R08: 0000000000000000 R09:
> 0000000000000000 
> [  984.381093] R10: 00000000000fa2b4 R11: 0000000000000246 R12:
> 0000000000000003 
> [  984.389577] R13: 00007fff473a3630 R14: 0000000000001000 R15:
> 0000000000000060 
> [  984.398087] Modules linked in: binfmt_misc rfkill sunrpc intel_rapl_msr
> intel_rapl_common x86_pkg_temp_thermal mgag200 intel_powerclamp iTCO_wdt
> i2c_algo_bit coretemp intel_pmc_bxt cdc_ether gpio_ich drm_kms_helper
> iTCO_vendor_support usbnet mii cec rapl ipmi_ssif i2c_i801 intel_cstate e1000e
> intel_uncore ie31200_edac pcspkr ipmi_si i2c_smbus lpc_ich ipmi_devintf
> ipmi_msghandler drm ip_tables xfs crct10dif_pclmul crc32_pclmul crc32c_intel
> ghash_clmulni_intel ata_generic pata_acpi wmi 
> [  984.449316] ---[ end trace d44739bb135b1e63 ]--- 
> [  984.455360] RIP: 0010:usercopy_abort+0x74/0x76 
> [  984.461181] Code: 67 5c 8b 51 48 0f 45 d6 49 c7 c3 73 f7 5f 8b 4c 89 d1 57
> 48 c7 c6 68 57 5e 8b 48 c7 c7 38 f8 5f 8b 49 0f 45 f3 e8 13 71 ff ff <0f> 0b 4c
> 89 e1 49 89 d8 44 89 ea 31 f6 48 29 c1 48 c7 c7 b5 f7 5f 
> [  984.483379] RSP: 0018:ffff9c1f007b3dc0 EFLAGS: 00010286 
> [  984.489416] RAX: 0000000000000066 RBX: 0000000000000003 RCX:
> 0000000000000000 
> [  984.497965] RDX: ffff911f37c27e20 RSI: ffff911f37c19050 RDI:
> ffff911f37c19050 
> [  984.507102] RBP: ffff911e04cd1f82 R08: 0000000000000000 R09:
> 0000000000000000 
> [  984.515588] R10: ffff9c1f007b3bf8 R11: ffffffff8bd711a8 R12:
> ffff911e04cd1f7f 
> [  984.524474] R13: 0000000000000001 R14: 0000000000000003 R15:
> ffff911e009b19c0 
> [  984.532878] FS:  00007fbabb42b180(0000) GS:ffff911f37c00000(0000)
> knlGS:0000000000000000 
> [  984.542084] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
> [  984.548804] CR2: 00007fbabb7ef000 CR3: 000000014e296001 CR4:
> 00000000001706f0 
> 
> 
> aarch64 (arm64):
> 
> [root@localhost stress-ng]# ./stress-ng --procfs 0
> stress-ng: info:  [44802] defaulting to a 86400 second (1 day, 0.00 secs) run
> per stressor
> stress-ng: info:  [44802] dispatching hogs: 32 procfs
> stress-ng: info:  [44802] cache allocate: using defaults, can't determine cache
> details from sysfs
> [ 2934.501319] usercopy: Kernel memory exposure attempt detected from SLUB
> object 'kmalloc-128' (offset 82, size 73)! 
> [ 2934.516649] ------------[ cut here ]------------ 
> [ 2934.524448] kernel BUG at mm/usercopy.c:99! 
> [ 2934.532208] Internal error: Oops - BUG: 0 [#1] SMP 
> [ 2934.539950] Modules linked in: rfkill sunrpc nicvf cavium_ptp joydev nicpf
> cavium_rng_vf thunder_bgx thunder_xcv mdio_thunder cavium_rng mdio_cavium
> thunderx_edac ipmi_ssif ipmi_devintf ipmi_msghandler vfat fat ip_tables xfs ast
> i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt
> fb_sys_fops cec drm_ttm_helper ttm crct10dif_ce drm ghash_ce gpio_keys
> i2c_thunderx thunderx_mmc aes_neon_bs 
> [ 2934.540737] usercopy: Kernel memory exposure attempt detected from SLUB
> object 'kmalloc-128' (offset 55, size 108)! 
> [ 2934.550255] usercopy: Kernel memory exposure attempt detected from SLUB
> object 'kmalloc-128' (offset 86, size 68)! 
> [ 2934.550297] ------------[ cut here ]------------ 
> [ 2934.550300] kernel BUG at mm/usercopy.c:99! 
> [ 2934.589488] CPU: 6 PID: 44874 Comm: stress-ng-procf Not tainted 5.10.0-rc1
> #1 
> [ 2934.589492] Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS F02
> 08/06/2019 
> [ 2934.589497] pstate: 40400005 (nZcv daif +PAN -UAO -TCO BTYPE=--) 
> [ 2934.589507] pc : usercopy_abort+0x98/0x9c 
> [ 2934.589511] lr : usercopy_abort+0x98/0x9c 
> [ 2934.589518] sp : ffff80007e14bc70 
> [ 2934.603274] ------------[ cut here ]------------ 
> [ 2934.616904] x29: ffff80007e14bc80 x28: ffff00013a6d2a80  
> [ 2934.624799] kernel BUG at mm/usercopy.c:99! 
> [ 2934.707971]  
> [ 2934.707977] x27: 0000000000000000 x26: 0000000000000000  
> [ 2934.721063] x25: ffff80007e14bd30 x24: 0000000000000000  
> [ 2934.729652] x23: ffff000101e8a540 x22: ffff000149809a9b  
> [ 2934.738181] x21: 0000000000000001 x20: 0000000000000049  
> [ 2934.746646] x19: ffff000149809a52 x18: 0000000000000000  
> [ 2934.755018] x17: 0000000000000000 x16: 0000000000000000  
> [ 2934.763363] x15: 0000000000aaaaaa x14: 0000000000000020  
> [ 2934.771682] x13: 00000000000117ca x12: ffff8000120bbe00  
> [ 2934.780114] x11: 0000000000000003 x10: ffff80001208be18  
> [ 2934.788496] x9 : ffff8000102310c0 x8 : ffff80001208bdc0  
> [ 2934.796849] x7 : 0000000000000001 x6 : 0000000000000000  
> [ 2934.804954] x5 : 0000000000000000 x4 : ffff000ff63af410  
> [ 2934.813101] x3 : ffff000ff63be340 x2 : ffff000ff63af410  
> [ 2934.821102] x1 : ffff00013a6d2a80 x0 : 0000000000000066  
> [ 2934.829282] Call trace: 
> [ 2934.834432]  usercopy_abort+0x98/0x9c 
> [ 2934.840907]  __check_heap_object+0x124/0x138 
> [ 2934.847889]  __check_object_size+0x190/0x210 
> [ 2934.854815]  proc_sys_call_handler+0x154/0x220 
> [ 2934.861877]  proc_sys_read+0x1c/0x28 
> [ 2934.868165]  new_sync_read+0xdc/0x158 
> [ 2934.874521]  vfs_read+0x150/0x1e0 
> [ 2934.880382]  ksys_read+0x60/0xe8 
> [ 2934.886226]  __arm64_sys_read+0x24/0x30 
> [ 2934.892799]  el0_svc_common.constprop.0+0xac/0x1e0 
> [ 2934.900356]  do_el0_svc+0x2c/0x98 
> [ 2934.906348]  el0_sync_handler+0xb0/0xb8 
> [ 2934.912797]  el0_sync+0x178/0x180 
> [ 2934.918675] Code: aa0003e3 f0002620 911f8000 97fff564 (d4210000)  
> [ 2934.927269] ---[ end trace ed6d63c40907130f ]---
> 
> -- 
> You are receiving this mail because:
> You are the assignee for the bug.




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux