From: Colin Ian King via Bugspray Bot <bugbot@kernel.org>
To: deller@gmx.de, bugs@lists.linux.dev,
linux-parisc@vger.kernel.org,
James.Bottomley@HansenPartnership.com
Subject: calling getcpu with misaligned address causes kernel panic
Date: Tue, 01 Oct 2024 15:00:12 +0000 [thread overview]
Message-ID: <20241001-b219339c0-15109b153aef@bugzilla.kernel.org> (raw)
Colin Ian King writes via Kernel.org Bugzilla:
Passing a read-only incorrectly aligned address into getcpu() causes a kernel panic. I originally found this issue when testing stress-ng using stress-ng --sysbadaddr 1, I've managed to make a short reproducer that can panic the kernel on every invocation of the program.
I can reproduce this on mainline kernels (in Debian), tested and reproduced on kernels 6.6.15, 6.9.7 and 6.10.6, so it's been around a while and it's still reproducible on recent kernels.
This only occurs on PA-RISC (hppa) kernels and only tested in a QEMU VM since I don't have access to real H/W.
cking@hppa:~$ cat crash.c
#define _GNU_SOURCE
#include <sched.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <unistd.h>
void main(void)
{
char *addr;
addr = mmap(NULL, 4096, PROT_READ, MAP_ANONYMOUS | MAP_SHARED, -1, 0);
if (addr != MAP_FAILED)
getcpu((int *)addr, (int *)(1 + addr));
}
cking@hppa:~$ gcc crash.c -o crash
cking@hppa:~$ ./crash
[ 361.158650] Backtrace:
[ 361.159621] [<10413c78>] handle_unaligned+0x590/0x710
[ 361.159621] [<10409354>] handle_interruption+0x1dc/0x7b8
[ 361.159621] [<104545d8>] sys_getcpu+0x30/0x74
[ 361.159621]
[ 361.159621]
[ 361.159621] Page fault: bad address: Code=26 (Data memory access rights trap) at addr f9000000
[ 361.159621] CPU: 2 PID: 749 Comm: crash Not tainted 6.6.15-parisc #1 Debian 6.6.15-2
[ 361.159621] Hardware name: 9000/778/B160L
[ 361.159621]
[ 361.159621] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
[ 361.159621] PSW: 00000000000001000000000000001111 Not tainted
[ 361.159621] r00-03 0004000f 00000000 10413c78 142903c0
[ 361.159621] r04-07 14290080 12a08000 fc000000 f9000001
[ 361.159621] r08-11 00000000 0f3dd280 f9099c20 f9096e58
[ 361.159621] r12-15 00011008 0119c228 00000000 00000001
[ 361.159621] r16-19 14290080 00138428 011b4e00 ff000000
[ 361.159621] r20-23 00000000 00000000 00000000 00000011
[ 361.159621] r24-27 00000000 00000000 14290080 110dd848
[ 361.159621] r28-31 f9000000 00000000 14290400 000003c3
[ 361.159621] sr00-03 000003c3 000003c3 00000000 000003c3
[ 361.159621] sr04-07 00000000 00000000 00000000 00000000
[ 361.159621]
[ 361.159621] IASQ: 00000000 00000000 IAOQ: 104135ac 104135b0
[ 361.170517] IIR: 0f945280 ISR: 000003c3 IOR: f9000000
[ 361.170517] CPU: 2 CR30: 12a08000 CR31: 00000000
[ 361.170517] ORIG_R28: 12a08000
[ 361.170517] IAOQ[0]: emulate_stw+0x5c/0x94
[ 361.170517] IAOQ[1]: emulate_stw+0x60/0x94
[ 361.170517] RP(r2): handle_unaligned+0x590/0x710
[ 361.170517] Backtrace:
[ 361.170517] [<10413c78>] handle_unaligned+0x590/0x710
[ 361.170517] [<10409354>] handle_interruption+0x1dc/0x7b8
[ 361.170517] [<104545d8>] sys_getcpu+0x30/0x74
[ 361.170517]
[ 361.170517] Kernel panic - not syncing: Page fault: bad address
[ 361.170517] ---[ end Kernel panic - not syncing: Page fault: bad address ]---
View: https://bugzilla.kernel.org/show_bug.cgi?id=219339#c0
You can reply to this message to join the discussion.
--
Deet-doot-dot, I am a bot.
Kernel.org Bugzilla (bugspray 0.1-dev)
next reply other threads:[~2024-10-01 15:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-01 15:00 Colin Ian King via Bugspray Bot [this message]
2024-10-01 15:00 ` calling getcpu with misaligned address causes kernel panic Colin Ian King via Bugspray Bot
2024-10-01 16:05 ` Helge Deller via Bugspray Bot
2024-10-01 17:45 ` Colin Ian King via Bugspray Bot
2024-10-01 22:20 ` Helge Deller via Bugspray Bot
2024-10-02 2:45 ` Helge Deller via Bugspray Bot
2024-10-08 20:20 ` Helge Deller via Bugspray Bot
2024-10-14 19:00 ` Helge Deller via Bugspray Bot
2024-10-15 9:15 ` Colin Ian King via Bugspray Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241001-b219339c0-15109b153aef@bugzilla.kernel.org \
--to=bugbot@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=bugs@lists.linux.dev \
--cc=deller@gmx.de \
--cc=linux-parisc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.