From: Sasha Levin <sasha.levin@oracle.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Al Viro <viro@ZenIV.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>
Subject: module: BUG in copy_module_from_fd
Date: Fri, 20 Dec 2013 18:40:49 -0500 [thread overview]
Message-ID: <52B4D581.40103@oracle.com> (raw)
Hi all,
While fuzzing with trinity inside a KVM tools guest running latest -next kernel, I've stumbled on
the following spew.
This reproduced twice with the same call trace, so I suspect it's something specific with the way
the module subsystem calls vfs_getattr rather than something odd in vfs.
[ 1694.568277] BUG: unable to handle kernel paging request at ffff88022adf8010
[ 1694.570053] IP: [<ffffffff812d77ed>] generic_fillattr+0xd/0xa0
[ 1694.570053] PGD 8577067 PUD 42effb067 PMD 42eea4067 PTE 800000022adf8060
[ 1694.570053] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1694.570053] Dumping ftrace buffer:
[ 1694.570053] (ftrace buffer empty)
[ 1694.570053] Modules linked in:
[ 1694.570053] CPU: 60 PID: 35977 Comm: trinity-child60 Tainted: G W 3.13.0-r
c4-next-20131219-sasha-00014-g94c0243-dirty #4166
[ 1694.570053] task: ffff8801064b8000 ti: ffff88013b56a000 task.ti: ffff88013b56a000
[ 1694.570053] waiting module removal not supported: please upgrade
[ 1694.570053] RIP: 0010:[<ffffffff812d77ed>] [<ffffffff812d77ed>] generic_fillattr+0x
d/0xa0
[ 1694.570053] RSP: 0018:ffff88013b56bdd8 EFLAGS: 00010246
[ 1694.570053] RAX: ffff88022adf8000 RBX: ffff88018d5202d0 RCX: ffff8801584537b0
[ 1694.570053] RDX: 0000000000000001 RSI: ffff88013b56be28 RDI: ffff88022c450550
[ 1694.570053] RBP: ffff88013b56bdd8 R08: ffff88022c450550 R09: 0000000000000000
[ 1694.570053] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88013b56be28
[ 1694.570053] R13: ffff88013b56bee8 R14: 0000000000000000 R15: 0000000000000193
[ 1694.570053] FS: 00007f9d4b25f700(0000) GS:ffff880066000000(0000) knlGS:000000000000
0000
[ 1694.570053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1694.570053] CR2: ffff88022adf8010 CR3: 000000013b565000 CR4: 00000000000006e0
[ 1694.570053] Stack:
[ 1694.570053] ffff88013b56bde8 ffffffff812d78b8 ffff88013b56be08 ffffffff812d7ea7
[ 1694.570053] ffff88018d5202c0 0000000000000000 ffff88013b56bec8 ffffffff811d76e5
[ 1694.570053] 0000000000000001 ffffffff811759a6 ffff88013b56be58 ffffffff81194e1a
[ 1694.570053] Call Trace:
[ 1694.570053] [<ffffffff812d78b8>] vfs_getattr_nosec+0x38/0x40
[ 1694.570053] [<ffffffff812d7ea7>] vfs_getattr+0x37/0x50
[ 1694.570053] [<ffffffff811d76e5>] copy_module_from_fd+0x65/0x150
[ 1694.570053] [<ffffffff811759a6>] ? vtime_account_user+0x96/0xb0
[ 1694.570053] [<ffffffff81194e1a>] ? __lock_release+0x1da/0x1f0
[ 1694.570053] [<ffffffff811759a6>] ? vtime_account_user+0x96/0xb0
[ 1694.570053] [<ffffffff81249358>] ? context_tracking_user_exit+0xb8/0x1d0
[ 1694.570053] [<ffffffff819dfc88>] ? security_capable+0x18/0x20
[ 1694.570053] [<ffffffff811dd443>] SyS_finit_module+0xa3/0x100
[ 1694.570053] [<ffffffff843a6fd0>] tracesys+0xdd/0xe2
[ 1694.570053] Code: 89 c8 48 8b 5d d8 4c 8b 65 e0 4c 8b 6d e8 4c 8b 75 f0 4c 8b 7d f8 c9 c3 90 90
90 90 90 90 55 48 89 e5 66 66 66 66 90 48 8b 47 28 <8b> 40 10 89 46 08 48 8b 47 40 48 89 06 0f b7 07
66 89 46 0c 8b
[ 1694.570053] RIP [<ffffffff812d77ed>] generic_fillattr+0xd/0xa0
[ 1694.570053] RSP <ffff88013b56bdd8>
[ 1694.570053] CR2: ffff88022adf8010
Thanks,
Sasha
next reply other threads:[~2013-12-20 23:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-20 23:40 Sasha Levin [this message]
2013-12-21 0:33 ` module: BUG in copy_module_from_fd Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52B4D581.40103@oracle.com \
--to=sasha.levin@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.