Re: net: netlink executing RO memory

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sasha.levin@oracle.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: Re: net: netlink executing RO memory
Date: Sat, 07 Jun 2014 11:07:14 -0400	[thread overview]
Message-ID: <53932AA2.4050204@oracle.com> (raw)
In-Reply-To: <53915571.7050801@oracle.com>

On 06/06/2014 01:45 AM, Sasha Levin wrote:
> On 06/05/2014 04:21 PM, Sasha Levin wrote:
>> Hi all,
>>
>> While fuzzing with trinity inside a KVM tools guest running the latest -next
>> kernel I've stumbled on the following spew:
>>
>> [  306.065161] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
>> [  306.067295] BUG: unable to handle kernel paging request at ffff880053b8fd08
> 
> Same issue reproduced multiple times with exactly the same trace, so I think that it
> rules out random memory corruption.

I might have another lead of this: I caught debug objects complaining about freeing
active objects:

[  592.020501] ODEBUG: free active (active state 1) object type: rcu_head hint:           (null)
[  592.020501] Modules linked in:
[  592.020501] CPU: 15 PID: 16543 Comm: trinity-c47 Not tainted 3.15.0-rc8-next-20140606-sasha-00021-ga9d3a0b-dirty #596
[  592.020501]  0000000000000009 ffff880224793988 ffffffff9350fe6b 0000000000000002
[  592.020501]  ffff8802247939d8 ffff8802247939c8 ffffffff9015f96c ffff88000fd40cf8
[  592.020501]  ffff88006d9a9870 ffffffff9508a000 ffffffff948fbd48 ffffffff97891e90
[  592.020501] Call Trace:
[  592.020501] dump_stack (lib/dump_stack.c:52)
[  592.020501] warn_slowpath_common (kernel/panic.c:430)
[  592.020501] warn_slowpath_fmt (kernel/panic.c:445)
[  592.020501] debug_print_object (lib/debugobjects.c:265)
[  592.020501] __debug_check_no_obj_freed (lib/debugobjects.c:698)
[  592.020501] debug_check_no_obj_freed (lib/debugobjects.c:727)
[  592.020501] __vunmap (mm/vmalloc.c:1457)
[  592.020501] vfree (mm/vmalloc.c:1505)
[  592.020501] netlink_skb_destructor (net/netlink/af_netlink.c:882)
[  592.020501] skb_release_head_state (net/core/skbuff.c:566)
[  592.020501] skb_release_all (net/core/skbuff.c:584)
[  592.020501] __kfree_skb (net/core/skbuff.c:529 net/core/skbuff.c:600)
[  592.020501] consume_skb (net/core/skbuff.c:672)
[  592.020501] skb_free_datagram (include/net/sock.h:1419 include/net/sock.h:1450 net/core/datagram.c:244)
[  592.020501] netlink_recvmsg (net/netlink/af_netlink.c:2482)
[  592.020501] ? preempt_count_sub (kernel/sched/core.c:2602)
[  592.020501] sock_aio_read (net/socket.c:917 net/socket.c:935)
[  592.020501] ? rw_copy_check_uvector (fs/read_write.c:753)
[  592.020501] do_sync_readv_writev (fs/read_write.c:683)
[  592.020501] do_readv_writev (fs/read_write.c:837)
[  592.020501] ? vtime_account_user (kernel/sched/cputime.c:687)
[  592.020501] ? get_parent_ip (kernel/sched/core.c:2546)
[  592.020501] ? __fget_light (include/linux/rcupdate.h:428 include/linux/fdtable.h:80 fs/file.c:684)
[  592.020501] vfs_readv (fs/read_write.c:866)
[  592.020501] SyS_readv (fs/read_write.c:892 fs/read_write.c:884)
[  592.020501] tracesys (arch/x86/kernel/entry_64.S:542)

I can't link them together (stacks don't match with what I'd expect to see in that
case), but that might be related somehow.


Thanks,
Sasha

next prev parent reply	other threads:[~2014-06-07 15:07 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-05 20:21 net: netlink executing RO memory Sasha Levin
2014-06-06  5:45 ` Sasha Levin
2014-06-07 15:07   ` Sasha Levin [this message]
2014-06-07 20:36     ` Thomas Gleixner
2014-06-07 20:40       ` Thomas Gleixner
2014-06-06  9:02 ` David Laight

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53932AA2.4050204@oracle.com \
    --to=sasha.levin@oracle.com \
    --cc=davem@davemloft.net \
    --cc=ebiederm@xmission.com \
    --cc=eric.dumazet@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.