From: Sasha Levin <sasha.levin@oracle.com>
To: "linux-mm@kvack.org" <linux-mm@kvack.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Dave Jones <davej@redhat.com>
Subject: mm/sched/net: BUG when running simple code
Date: Thu, 12 Jun 2014 22:56:16 -0400 [thread overview]
Message-ID: <539A6850.4090408@oracle.com> (raw)
Hi all,
Okay, I'm really lost. I got the following when fuzzing, and can't really explain what's
going on. It seems that we get a "unable to handle kernel paging request" when running
rather simple code, and I can't figure out how it would cause it.
The code in question is (in net/netlink/af_netlink.c):
static int netlink_getsockopt(struct socket *sock, int level, int optname,
char __user *optval, int __user *optlen)
{
struct sock *sk = sock->sk;
struct netlink_sock *nlk = nlk_sk(sk);
int len, val, err;
if (level != SOL_NETLINK)
return -ENOPROTOOPT;
if (get_user(len, optlen))
return -EFAULT;
if (len < 0) <==== THIS
return -EINVAL;
The disassembly I got shows:
if (get_user(len, optlen))
b1f: e8 00 00 00 00 callq b24 <netlink_getsockopt+0x44>
b20: R_X86_64_PC32 might_fault-0x4
b24: 4c 89 e0 mov %r12,%rax
b27: e8 00 00 00 00 callq b2c <netlink_getsockopt+0x4c>
b28: R_X86_64_PC32 __get_user_4-0x4
b2c: 85 c0 test %eax,%eax
b2e: 74 10 je b40 <netlink_getsockopt+0x60>
return -EFAULT;
b30: bb f2 ff ff ff mov $0xfffffff2,%ebx
b35: e9 06 01 00 00 jmpq c40 <netlink_getsockopt+0x160>
b3a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
if (len < 0)
b40: 85 d2 test %edx,%edx
b42: 0f 88 f0 00 00 00 js c38 <netlink_getsockopt+0x158>
return -EINVAL;
Which agrees with the trace I got:
[ 516.309720] BUG: unable to handle kernel paging request at ffffffffa0f12560
[ 516.309720] IP: netlink_getsockopt (net/netlink/af_netlink.c:2271)
[ 516.309720] PGD 22031067 PUD 22032063 PMD 8000000020e001e1
[ 516.309720] Oops: 0003 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 516.309720] Dumping ftrace buffer:
[ 516.309720] (ftrace buffer empty)
[ 516.309720] Modules linked in:
[ 516.309720] CPU: 11 PID: 9212 Comm: trinity-c11 Tainted: G W 3.15.0-next-20140612-sasha-00022-g5e4db85-dirty #645
[ 516.309720] task: ffff8803fc860000 ti: ffff8803fc85c000 task.ti: ffff8803fc85c000
[ 516.309720] RIP: netlink_getsockopt (net/netlink/af_netlink.c:2271)
[ 516.309720] RSP: 0018:ffff8803fc85fed8 EFLAGS: 00010216
[ 516.309720] RAX: ffffffffa0f12560 RBX: 00000000ffffffa4 RCX: 0000000000000003
[ 516.309720] RDX: 00000000ffff9002 RSI: 0000000049908020 RDI: ffff88025c16a100
[ 516.309720] RBP: ffff8803fc85ff18 R08: 0000000000000001 R09: c900000000fd37ff
[ 516.309720] R10: 0000000000000001 R11: 0000000000000000 R12: ffffffffffff9002
[ 516.309720] R13: ffff88025c16a100 R14: 0000000000000001 R15: ffff88025bfa9bd8
[ 516.309720] FS: 00007f54be0a7700(0000) GS:ffff8802c8e00000(0000) knlGS:0000000000000000
[ 516.309720] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 516.309720] CR2: ffffffffa0f12560 CR3: 000000040b1fb000 CR4: 00000000000006a0
[ 516.309720] Stack:
[ 516.309720] ffff8803fc85ff18 ffff8803fc85ff18 ffff8803fc85fef8 8900200549908020
[ 516.309720] ffff8803fc85ff18 ffffffff9ff66470 ffff8803fc85ff18 0000000000000037
[ 516.309720] ffff8803fc85ff78 ffffffff9ff69d26 0000000000000037 0000000000000004
[ 516.309720] Call Trace:
[ 516.309720] ? sockfd_lookup_light (net/socket.c:457)
[ 516.309720] SyS_getsockopt (net/socket.c:1945 net/socket.c:1929)
[ 516.309720] tracesys (arch/x86/kernel/entry_64.S:542)
[ 516.309720] Code: b2 fd 85 c0 74 10 bb f2 ff ff ff e9 06 01 00 00 66 0f 1f 44 00 00 85 d2 0f 88 f0 00 00 00 41 83 fd 04 74 42 41 83 fd 05 0f 84 88 <00> 00 00 41 83 fd 03 0f 85 de 00 00 00 83 fa 03 bb ea ff ff ff
All code
========
0: b2 fd mov $0xfd,%dl
2: 85 c0 test %eax,%eax
4: 74 10 je 0x16
6: bb f2 ff ff ff mov $0xfffffff2,%ebx
b: e9 06 01 00 00 jmpq 0x116
10: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
16: 85 d2 test %edx,%edx
18:* 0f 88 f0 00 00 00 js 0x10e <-- trapping instruction
1e: 41 83 fd 04 cmp $0x4,%r13d
22: 74 42 je 0x66
24: 41 83 fd 05 cmp $0x5,%r13d
28: 0f 84 88 00 00 00 je 0xb6
2e: 41 83 fd 03 cmp $0x3,%r13d
32: 0f 85 de 00 00 00 jne 0x116
38: 83 fa 03 cmp $0x3,%edx
3b: bb ea ff ff ff mov $0xffffffea,%ebx
...
Code starting with the faulting instruction
===========================================
0: 00 00 add %al,(%rax)
2: 00 41 83 add %al,-0x7d(%rcx)
5: fd std
6: 03 0f add (%rdi),%ecx
8: 85 de test %ebx,%esi
a: 00 00 add %al,(%rax)
c: 00 83 fa 03 bb ea add %al,-0x1544fc06(%rbx)
12: ff (bad)
13: ff (bad)
14: ff 00 incl (%rax)
[ 516.309720] RIP netlink_getsockopt (net/netlink/af_netlink.c:2271)
[ 516.309720] RSP <ffff8803fc85fed8>
[ 516.309720] CR2: ffffffffa0f12560
They only theory I had so far is that netlink is a module, and has gone away while the code
was executing, but netlink isn't a module on my kernel.
Thanks,
Sasha
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sasha.levin@oracle.com>
To: "linux-mm@kvack.org" <linux-mm@kvack.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Dave Jones <davej@redhat.com>
Subject: mm/sched/net: BUG when running simple code
Date: Thu, 12 Jun 2014 22:56:16 -0400 [thread overview]
Message-ID: <539A6850.4090408@oracle.com> (raw)
Hi all,
Okay, I'm really lost. I got the following when fuzzing, and can't really explain what's
going on. It seems that we get a "unable to handle kernel paging request" when running
rather simple code, and I can't figure out how it would cause it.
The code in question is (in net/netlink/af_netlink.c):
static int netlink_getsockopt(struct socket *sock, int level, int optname,
char __user *optval, int __user *optlen)
{
struct sock *sk = sock->sk;
struct netlink_sock *nlk = nlk_sk(sk);
int len, val, err;
if (level != SOL_NETLINK)
return -ENOPROTOOPT;
if (get_user(len, optlen))
return -EFAULT;
if (len < 0) <==== THIS
return -EINVAL;
The disassembly I got shows:
if (get_user(len, optlen))
b1f: e8 00 00 00 00 callq b24 <netlink_getsockopt+0x44>
b20: R_X86_64_PC32 might_fault-0x4
b24: 4c 89 e0 mov %r12,%rax
b27: e8 00 00 00 00 callq b2c <netlink_getsockopt+0x4c>
b28: R_X86_64_PC32 __get_user_4-0x4
b2c: 85 c0 test %eax,%eax
b2e: 74 10 je b40 <netlink_getsockopt+0x60>
return -EFAULT;
b30: bb f2 ff ff ff mov $0xfffffff2,%ebx
b35: e9 06 01 00 00 jmpq c40 <netlink_getsockopt+0x160>
b3a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
if (len < 0)
b40: 85 d2 test %edx,%edx
b42: 0f 88 f0 00 00 00 js c38 <netlink_getsockopt+0x158>
return -EINVAL;
Which agrees with the trace I got:
[ 516.309720] BUG: unable to handle kernel paging request at ffffffffa0f12560
[ 516.309720] IP: netlink_getsockopt (net/netlink/af_netlink.c:2271)
[ 516.309720] PGD 22031067 PUD 22032063 PMD 8000000020e001e1
[ 516.309720] Oops: 0003 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 516.309720] Dumping ftrace buffer:
[ 516.309720] (ftrace buffer empty)
[ 516.309720] Modules linked in:
[ 516.309720] CPU: 11 PID: 9212 Comm: trinity-c11 Tainted: G W 3.15.0-next-20140612-sasha-00022-g5e4db85-dirty #645
[ 516.309720] task: ffff8803fc860000 ti: ffff8803fc85c000 task.ti: ffff8803fc85c000
[ 516.309720] RIP: netlink_getsockopt (net/netlink/af_netlink.c:2271)
[ 516.309720] RSP: 0018:ffff8803fc85fed8 EFLAGS: 00010216
[ 516.309720] RAX: ffffffffa0f12560 RBX: 00000000ffffffa4 RCX: 0000000000000003
[ 516.309720] RDX: 00000000ffff9002 RSI: 0000000049908020 RDI: ffff88025c16a100
[ 516.309720] RBP: ffff8803fc85ff18 R08: 0000000000000001 R09: c900000000fd37ff
[ 516.309720] R10: 0000000000000001 R11: 0000000000000000 R12: ffffffffffff9002
[ 516.309720] R13: ffff88025c16a100 R14: 0000000000000001 R15: ffff88025bfa9bd8
[ 516.309720] FS: 00007f54be0a7700(0000) GS:ffff8802c8e00000(0000) knlGS:0000000000000000
[ 516.309720] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 516.309720] CR2: ffffffffa0f12560 CR3: 000000040b1fb000 CR4: 00000000000006a0
[ 516.309720] Stack:
[ 516.309720] ffff8803fc85ff18 ffff8803fc85ff18 ffff8803fc85fef8 8900200549908020
[ 516.309720] ffff8803fc85ff18 ffffffff9ff66470 ffff8803fc85ff18 0000000000000037
[ 516.309720] ffff8803fc85ff78 ffffffff9ff69d26 0000000000000037 0000000000000004
[ 516.309720] Call Trace:
[ 516.309720] ? sockfd_lookup_light (net/socket.c:457)
[ 516.309720] SyS_getsockopt (net/socket.c:1945 net/socket.c:1929)
[ 516.309720] tracesys (arch/x86/kernel/entry_64.S:542)
[ 516.309720] Code: b2 fd 85 c0 74 10 bb f2 ff ff ff e9 06 01 00 00 66 0f 1f 44 00 00 85 d2 0f 88 f0 00 00 00 41 83 fd 04 74 42 41 83 fd 05 0f 84 88 <00> 00 00 41 83 fd 03 0f 85 de 00 00 00 83 fa 03 bb ea ff ff ff
All code
========
0: b2 fd mov $0xfd,%dl
2: 85 c0 test %eax,%eax
4: 74 10 je 0x16
6: bb f2 ff ff ff mov $0xfffffff2,%ebx
b: e9 06 01 00 00 jmpq 0x116
10: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
16: 85 d2 test %edx,%edx
18:* 0f 88 f0 00 00 00 js 0x10e <-- trapping instruction
1e: 41 83 fd 04 cmp $0x4,%r13d
22: 74 42 je 0x66
24: 41 83 fd 05 cmp $0x5,%r13d
28: 0f 84 88 00 00 00 je 0xb6
2e: 41 83 fd 03 cmp $0x3,%r13d
32: 0f 85 de 00 00 00 jne 0x116
38: 83 fa 03 cmp $0x3,%edx
3b: bb ea ff ff ff mov $0xffffffea,%ebx
...
Code starting with the faulting instruction
===========================================
0: 00 00 add %al,(%rax)
2: 00 41 83 add %al,-0x7d(%rcx)
5: fd std
6: 03 0f add (%rdi),%ecx
8: 85 de test %ebx,%esi
a: 00 00 add %al,(%rax)
c: 00 83 fa 03 bb ea add %al,-0x1544fc06(%rbx)
12: ff (bad)
13: ff (bad)
14: ff 00 incl (%rax)
[ 516.309720] RIP netlink_getsockopt (net/netlink/af_netlink.c:2271)
[ 516.309720] RSP <ffff8803fc85fed8>
[ 516.309720] CR2: ffffffffa0f12560
They only theory I had so far is that netlink is a module, and has gone away while the code
was executing, but netlink isn't a module on my kernel.
Thanks,
Sasha
next reply other threads:[~2014-06-13 2:56 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-13 2:56 Sasha Levin [this message]
2014-06-13 2:56 ` mm/sched/net: BUG when running simple code Sasha Levin
2014-06-13 3:27 ` Dan Aloni
2014-06-13 3:27 ` Dan Aloni
2014-06-13 4:01 ` Sasha Levin
2014-06-13 4:01 ` Sasha Levin
2014-06-13 4:13 ` Dave Jones
2014-06-13 4:13 ` Dave Jones
2014-06-13 15:13 ` Sasha Levin
2014-06-13 15:13 ` Sasha Levin
2014-06-17 3:17 ` Sasha Levin
2014-06-17 3:17 ` Sasha Levin
2014-06-17 4:30 ` Dan Aloni
2014-06-17 4:30 ` Dan Aloni
2014-06-13 4:55 ` Dan Aloni
2014-06-13 4:55 ` Dan Aloni
2014-06-13 5:26 ` Dan Aloni
2014-06-13 5:26 ` Dan Aloni
2014-06-13 5:31 ` Dan Aloni
2014-06-13 5:31 ` Dan Aloni
2014-07-08 14:51 ` Peter Zijlstra
2014-07-08 15:25 ` Sasha Levin
2014-07-08 15:25 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=539A6850.4090408@oracle.com \
--to=sasha.levin@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=davej@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.