Re: [mm/usercopy] 517e1fbeb6: kernel BUG at arch/x86/mm/physaddr.c:78!
From: Laura Abbott
Date: Mon May 08 2017 - 14:41:57 EST
On 05/07/2017 07:51 AM, Kees Cook wrote:
> On Sun, May 7, 2017 at 2:06 AM, kernel test robot
> <fengguang.wu@xxxxxxxxx> wrote:
>> Greetings,
>>
>> 0day kernel testing robot got the below dmesg and the first bad commit is
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>>
>> commit 517e1fbeb65f5eade8d14f46ac365db6c75aea9b
>> Author: Laura Abbott <labbott@xxxxxxxxxx>
>> AuthorDate: Tue Apr 4 14:09:00 2017 -0700
>> Commit: Kees Cook <keescook@xxxxxxxxxxxx>
>> CommitDate: Wed Apr 5 12:30:18 2017 -0700
>>
>> mm/usercopy: Drop extra is_vmalloc_or_module() check
>>
>> Previously virt_addr_valid() was insufficient to validate if virt_to_page()
>> could be called on an address on arm64. This has since been fixed up so
>> there is no need for the extra check. Drop it.
>>
>> Signed-off-by: Laura Abbott <labbott@xxxxxxxxxx>
>> Acked-by: Mark Rutland <mark.rutland@xxxxxxx>
>> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>
> This appears to be from CONFIG_DEBUG_VIRTUAL on __phys_addr, used by
> hardened usercopy, probably during virt_addr_valid(). I'll take a
> closer look on Monday...
>
> -Kees
>
So this looks like a strange edge case/bug on x86 32-bit.
virt_addr_valid is returning true on vmalloc addresses because
__vmalloc_start_set is never getting set because the below
configuration uses CONFIG_NEED_MULTIPLE_NODES=y and that variable
only gets set with CONFIG_NEED_MULTIPLE_NODES=n currently. If
I set it in arch/x86/mm/numa_32.c, it seems to work:
Thanks,
Laura
diff --git a/arch/x86/mm/numa_32.c b/arch/x86/mm/numa_32.c
index 6b7ce62..aca6295 100644
--- a/arch/x86/mm/numa_32.c
+++ b/arch/x86/mm/numa_32.c
@@ -100,5 +100,6 @@ void __init initmem_init(void)
printk(KERN_DEBUG "High memory starts at vaddr %08lx\n",
(ulong) pfn_to_kaddr(highstart_pfn));
+ __vmalloc_start_set = true;
setup_bootmem_allocator();
}
>>
>> 96dc4f9fb6 usercopy: Move enum for arch_within_stack_frames()
>> 517e1fbeb6 mm/usercopy: Drop extra is_vmalloc_or_module() check
>> 13e0988140 docs: complete bumping minimal GNU Make version to 3.81
>> 9e597e815f Add linux-next specific files for 20170505
>> +------------------------------------------------------+------------+------------+------------+---------------+
>> | | 96dc4f9fb6 | 517e1fbeb6 | 13e0988140 | next-20170505 |
>> +------------------------------------------------------+------------+------------+------------+---------------+
>> | boot_successes | 35 | 3 | 6 | 0 |
>> | boot_failures | 0 | 12 | 13 | 18 |
>> | kernel_BUG_at_arch/x86/mm/physaddr.c | 0 | 12 | 13 | 13 |
>> | invalid_opcode:#[##] | 0 | 12 | 13 | 13 |
>> | EIP:__phys_addr | 0 | 12 | 13 | 13 |
>> | Kernel_panic-not_syncing:Fatal_exception | 0 | 12 | 13 | 13 |
>> | WARNING:at_kernel/cpu.c:#lockdep_assert_hotplug_held | 0 | 0 | 0 | 18 |
>> | EIP:lockdep_assert_hotplug_held | 0 | 0 | 0 | 18 |
>> +------------------------------------------------------+------------+------------+------------+---------------+
>>
>> [main] Setsockopt(1 22 80d3000 4) on fd 47 [1:5:1]
>> [ 18.665929] sock: process `trinity-main' is using obsolete setsockopt SO_BSDCOMPAT
>> [main] Setsockopt(1 e 80d3000 90) on fd 49 [1:2:1]
>> [main] Setsockopt(10e 5 80d3000 4) on fd 52 [16:3:16]
>> [ 18.668412] ------------[ cut here ]------------
>> [ 18.668824] kernel BUG at arch/x86/mm/physaddr.c:78!
>> [ 18.669424] invalid opcode: 0000 [#1] SMP
>> [ 18.669776] CPU: 0 PID: 754 Comm: trinity-main Not tainted 4.11.0-rc2-00002-g517e1fb #1
>> [ 18.670469] task: 4ca52e80 task.stack: 4c572000
>> [ 18.670860] EIP: __phys_addr+0x120/0x130
>> [ 18.671189] EFLAGS: 00010202 CPU: 0
>> [ 18.671482] EAX: 0000ff01 EBX: 50851020 ECX: 00000000 EDX: 00000001
>> [ 18.672025] ESI: 0000ff01 EDI: 10851020 EBP: 4c573e70 ESP: 4c573e60
>> [ 18.672557] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
>> [ 18.673025] CR0: 80050033 CR2: 084da000 CR3: 0c65c4a0 CR4: 001406f0
>> [ 18.673560] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
>> [ 18.674100] DR6: fffe0ff0 DR7: 00000400
>> [ 18.674420] Call Trace:
>> [ 18.674632] __check_object_size+0xff/0x42f
>> [ 18.674988] ? __might_sleep+0x8e/0x130
>> [ 18.675310] __get_filter+0xaa/0x130
>> [ 18.675612] sk_attach_filter+0x15/0x90
>> [ 18.675937] sock_setsockopt+0x6b3/0x960
>> [ 18.676263] SyS_socketcall+0x773/0x810
>> [ 18.676585] ? __do_page_fault+0x36c/0x730
>> [ 18.676932] do_int80_syscall_32+0x8a/0x230
>> [ 18.677307] ? prepare_exit_to_usermode+0x38/0x60
>> [ 18.677712] entry_INT80_32+0x2f/0x2f
>> [ 18.678034] EIP: 0x37688a42
>> [ 18.678278] EFLAGS: 00000202 CPU: 0
>> [ 18.678580] EAX: ffffffda EBX: 0000000e ECX: 3fc2da40 EDX: 3fc2dac0
>> [ 18.679099] ESI: 00000004 EDI: 00000035 EBP: 3753f1ac ESP: 3fc2da3c
>> [ 18.679618] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
>> [ 18.680069] Code: 00 00 e0 ff 2d 00 20 00 00 39 c3 0f 83 47 ff ff ff c7 04 24 00 00 00 00 31 c9 ba 01 00 00 00 b8 98 e7 1a 42 e8 22 3e 0d 00 0f 0b <0f> 0b 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 55 89 e5 53 3e
>> [ 18.681652] EIP: __phys_addr+0x120/0x130 SS:ESP: 0068:4c573e60
>> [ 18.682174] ---[ end trace bbf34582d6d63d7a ]---
>> [ 18.682636] Kernel panic - not syncing: Fatal exception
>>
>> # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
>> git bisect start 773f7f5cf2d18eb40343d1e4e9a49062739e0425 a351e9b9fc24e982ec2f0e76379a49826036da12 --
>> git bisect bad 39af3d3d90897d17d79bc655068cf09a717a0e68 # 12:26 B 0 4 15 0 Merge 'mellanox/queue-next' into devel-spot-201705070851
>> git bisect bad 32f465722603afc8d3d90ad9fb999095afe11205 # 12:42 B 0 11 22 0 Merge 'linux-review/David-Ahern/net-reducing-memory-footprint-of-network-devices/20170507-031536' into devel-spot-201705070851
>> git bisect bad 1cbccce1b4565d60c4d9a5bc3aaf8d63b5b9224f # 12:53 B 0 11 22 0 Merge 'linux-review/Geliang-Tang/yam-use-memdup_user/20170507-045454' into devel-spot-201705070851
>> git bisect bad 408133c058c5492c03ff9f3827ccdb65b42cb842 # 13:06 B 0 11 22 0 Merge 'linux-review/Christophe-JAILLET/firmware-Google-VPD-Fix-memory-allocation-error-handling/20170507-064549' into devel-spot-201705070851
>> git bisect bad d5f6ce59cba315fc39f8bdd594d9a6ec7633be45 # 13:14 B 0 1 12 0 Merge 'linux-review/Geert-Uytterhoeven/signal-Export-signal_wake_up_state-to-modules/20170507-082935' into devel-spot-201705070851
>> git bisect good 163f34fcdf2791ac0e609d59440a9ef90d2bf3d2 # 13:34 G 11 0 0 0 0day base guard for 'devel-spot-201705070851'
>> git bisect good ddd92361062a7eb9708eb6c633346c35d0d67d2f # 13:45 G 11 0 0 0 Merge 'linux-review/Geliang-Tang/platform-x86-toshiba_acpi-use-memdup_user_nul/20170507-083752' into devel-spot-201705070851
>> git bisect bad a3719f34fdb664ffcfaec2160ef20fca7becf2ee # 13:57 B 0 11 22 0 Merge branch 'generic' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
>> git bisect good 5d15af6778b8e4ed1fd41b040283af278e7a9a72 # 14:11 G 11 0 0 0 Merge branch 'tipc-refactor-socket-receive-functions'
>> git bisect good 7c8c03bfc7b9f5211d8a69eab7fee99c9fb4f449 # 14:21 G 11 0 0 0 Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
>> git bisect bad 8d65b08debc7e62b2c6032d7fe7389d895b92cbc # 14:30 B 0 11 22 0 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
>> git bisect good b68e7e952f24527de62f4768b1cead91f92f5f6e # 14:40 G 11 0 0 0 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
>> git bisect bad 5b13475a5e12c49c24422ba1bd9998521dec1d4e # 14:51 B 0 11 22 0 Merge branch 'work.iov_iter' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
>> git bisect good 0cb300623e3bb460fd9853bbde2fd1973e3bbcd8 # 15:01 G 11 0 0 0 usb: gadget.h: be consistent at kernel doc macros
>> git bisect good 3a7d2fd16c57a1ef47dc2891171514231c9c7c6e # 15:21 G 11 0 0 0 pstore: Solve lockdep warning by moving inode locks
>> git bisect good c58d4055c054fc6dc72f1be8bc71bd6fff209e48 # 15:35 G 11 0 0 0 Merge tag 'docs-4.12' of git://git.lwn.net/linux
>> git bisect bad 6fd4e7f7744bd7859ca3cae19c4613252ebb6bff # 15:43 B 0 11 22 0 Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6
>> git bisect bad 5958cc49ed2961a059d92ae55afeeaba64a783a0 # 15:51 B 0 1 12 0 Merge tag 'usercopy-v4.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
>> git bisect bad 517e1fbeb65f5eade8d14f46ac365db6c75aea9b # 16:05 B 0 11 22 0 mm/usercopy: Drop extra is_vmalloc_or_module() check
>> git bisect good 96dc4f9fb64690fc34410415fd1fc609cf803f61 # 16:14 G 11 0 0 0 usercopy: Move enum for arch_within_stack_frames()
>> # first bad commit: [517e1fbeb65f5eade8d14f46ac365db6c75aea9b] mm/usercopy: Drop extra is_vmalloc_or_module() check
>> git bisect good 96dc4f9fb64690fc34410415fd1fc609cf803f61 # 16:17 G 31 0 0 0 usercopy: Move enum for arch_within_stack_frames()
>> # extra tests with CONFIG_DEBUG_INFO_REDUCED
>> git bisect bad 517e1fbeb65f5eade8d14f46ac365db6c75aea9b # 16:31 B 0 11 22 0 mm/usercopy: Drop extra is_vmalloc_or_module() check
>> # extra tests on HEAD of linux-devel/devel-spot-201705070851
>> git bisect bad 773f7f5cf2d18eb40343d1e4e9a49062739e0425 # 16:32 B 0 22 37 0 0day head guard for 'devel-spot-201705070851'
>> # extra tests on tree/branch linus/master
>> git bisect bad 13e0988140374123bead1dd27c287354cb95108e # 16:43 B 0 11 22 0 docs: complete bumping minimal GNU Make version to 3.81
>> # extra tests with first bad commit reverted
>> git bisect good 688e95d3e3571e6b1c08da62fc402f1c1c3d5542 # 16:53 G 10 0 0 0 Revert "mm/usercopy: Drop extra is_vmalloc_or_module() check"
>> # extra tests on tree/branch linux-next/master
>> git bisect bad 9e597e815f68867c70d1b70cb2b037b92a8ec12b # 17:06 B 0 9 27 7 Add linux-next specific files for 20170505
>>
>> ---
>> 0-DAY kernel test infrastructure Open Source Technology Center
>> https://lists.01.org/pipermail/lkp Intel Corporation
>
>
>