From: Colin Ian King via Bugspray Bot <bugbot@kernel.org>
To: deller@gmx.de, bugs@lists.linux.dev,
linux-parisc@vger.kernel.org,
James.Bottomley@HansenPartnership.com
Subject: calling getcpu with misaligned address causes kernel panic
Date: Tue, 01 Oct 2024 15:00:12 +0000 [thread overview]
Message-ID: <20241001-b219339c0-15109b153aef@bugzilla.kernel.org> (raw)
Colin Ian King writes via Kernel.org Bugzilla:
Passing a read-only incorrectly aligned address into getcpu() causes a kernel panic. I originally found this issue when testing stress-ng using stress-ng --sysbadaddr 1, I've managed to make a short reproducer that can panic the kernel on every invocation of the program.
I can reproduce this on mainline kernels (in Debian), tested and reproduced on kernels 6.6.15, 6.9.7 and 6.10.6, so it's been around a while and it's still reproducible on recent kernels.
This only occurs on PA-RISC (hppa) kernels and only tested in a QEMU VM since I don't have access to real H/W.
cking@hppa:~$ cat crash.c
#define _GNU_SOURCE
#include <sched.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <unistd.h>
void main(void)
{
char *addr;
addr = mmap(NULL, 4096, PROT_READ, MAP_ANONYMOUS | MAP_SHARED, -1, 0);
if (addr != MAP_FAILED)
getcpu((int *)addr, (int *)(1 + addr));
}
cking@hppa:~$ gcc crash.c -o crash
cking@hppa:~$ ./crash
[ 361.158650] Backtrace:
[ 361.159621] [<10413c78>] handle_unaligned+0x590/0x710
[ 361.159621] [<10409354>] handle_interruption+0x1dc/0x7b8
[ 361.159621] [<104545d8>] sys_getcpu+0x30/0x74
[ 361.159621]
[ 361.159621]
[ 361.159621] Page fault: bad address: Code=26 (Data memory access rights trap) at addr f9000000
[ 361.159621] CPU: 2 PID: 749 Comm: crash Not tainted 6.6.15-parisc #1 Debian 6.6.15-2
[ 361.159621] Hardware name: 9000/778/B160L
[ 361.159621]
[ 361.159621] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
[ 361.159621] PSW: 00000000000001000000000000001111 Not tainted
[ 361.159621] r00-03 0004000f 00000000 10413c78 142903c0
[ 361.159621] r04-07 14290080 12a08000 fc000000 f9000001
[ 361.159621] r08-11 00000000 0f3dd280 f9099c20 f9096e58
[ 361.159621] r12-15 00011008 0119c228 00000000 00000001
[ 361.159621] r16-19 14290080 00138428 011b4e00 ff000000
[ 361.159621] r20-23 00000000 00000000 00000000 00000011
[ 361.159621] r24-27 00000000 00000000 14290080 110dd848
[ 361.159621] r28-31 f9000000 00000000 14290400 000003c3
[ 361.159621] sr00-03 000003c3 000003c3 00000000 000003c3
[ 361.159621] sr04-07 00000000 00000000 00000000 00000000
[ 361.159621]
[ 361.159621] IASQ: 00000000 00000000 IAOQ: 104135ac 104135b0
[ 361.170517] IIR: 0f945280 ISR: 000003c3 IOR: f9000000
[ 361.170517] CPU: 2 CR30: 12a08000 CR31: 00000000
[ 361.170517] ORIG_R28: 12a08000
[ 361.170517] IAOQ[0]: emulate_stw+0x5c/0x94
[ 361.170517] IAOQ[1]: emulate_stw+0x60/0x94
[ 361.170517] RP(r2): handle_unaligned+0x590/0x710
[ 361.170517] Backtrace:
[ 361.170517] [<10413c78>] handle_unaligned+0x590/0x710
[ 361.170517] [<10409354>] handle_interruption+0x1dc/0x7b8
[ 361.170517] [<104545d8>] sys_getcpu+0x30/0x74
[ 361.170517]
[ 361.170517] Kernel panic - not syncing: Page fault: bad address
[ 361.170517] ---[ end Kernel panic - not syncing: Page fault: bad address ]---
View: https://bugzilla.kernel.org/show_bug.cgi?id=219339#c0
You can reply to this message to join the discussion.
--
Deet-doot-dot, I am a bot.
Kernel.org Bugzilla (bugspray 0.1-dev)
next reply other threads:[~2024-10-01 15:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-01 15:00 Colin Ian King via Bugspray Bot [this message]
2024-10-01 15:00 ` calling getcpu with misaligned address causes kernel panic Colin Ian King via Bugspray Bot
2024-10-01 16:05 ` Helge Deller via Bugspray Bot
2024-10-01 17:45 ` Colin Ian King via Bugspray Bot
2024-10-01 22:20 ` Helge Deller via Bugspray Bot
2024-10-02 2:45 ` Helge Deller via Bugspray Bot
2024-10-08 20:20 ` Helge Deller via Bugspray Bot
2024-10-14 19:00 ` Helge Deller via Bugspray Bot
2024-10-15 9:15 ` Colin Ian King via Bugspray Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241001-b219339c0-15109b153aef@bugzilla.kernel.org \
--to=bugbot@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=bugs@lists.linux.dev \
--cc=deller@gmx.de \
--cc=linux-parisc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).