[Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)!

public inbox for linux-xfs@vger.kernel.org
 help / color / mirror / Atom feed

From: bugzilla-daemon@kernel.org
To: linux-xfs@vger.kernel.org
Subject: [Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n  o area' (offset 0, size 1)!
Date: Sun, 05 Jun 2022 05:32:21 +0000	[thread overview]
Message-ID: <bug-216073-201763-aTV8ZfvA20@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-216073-201763@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=216073

--- Comment #2 from Zorro Lang (zlang@redhat.com) ---
Default xfs (no specified mkfs options) can reproduce this bug with xfstests
xfs/294. The decode_stacktrace.sh output as below[1], HEAD=032dcf09e ("Merge
tag 'gpio-fixes-for-v5.19-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux")

[1]
# ./scripts/decode_stacktrace.sh vmlinux < console.log
[30523.215443] run fstests xfs/294 at 2022-06-05 00:40:48
[30525.371171] XFS (loop1): Mounting V5 Filesystem
[30525.388258] XFS (loop1): Ending clean mount
[30574.012385] restraintd[1854]: *** Current Time: Sun Jun 05 00:41:38 2022 
Loc
alwatchdog at: Mon Jun 06 16:13:37 2022
[30604.239628] usercopy: Kernel memory exposure attempt detected from vmalloc
'n
o area' (offset 0, size 1)!
[30604.239677] ------------[ cut here ]------------
[30604.239679] kernel BUG at mm/usercopy.c:101!
[30604.239731] monitor event: 0040 ilc:2 [#1] SMP
[30604.239774] Modules linked in: ext2 overlay dm_zero dm_log_writes
dm_thin_poo
l dm_persistent_data dm_bio_prison sd_mod t10_pi crc64_rocksoft_generic
crc64_ro
cksoft crc64 sg dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey tls loop lcs
ct
cm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill vfio_ccw mdev
vfio_iommu_type1
zcrypt_cex4 vfio sunrpc drm i2c_core fb fuse font drm_panel_orientation_quirks
xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha3_256_s390
qeth
_l2 bridge stp llc dasd_eckd_mod dasd_mod qeth qdio ccwgroup dm_mirror
dm_region
_hash dm_log dm_mod pkey zcrypt [last unloaded: scsi_debug]
5.18.0+ #1
[30604.240048] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
[30604.240155] Krnl PSW : 0704d00180000000 00000000255ca85a
(usercopy_abort+0xaa
/0xb0)
[30604.240177]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
RI:
0 EA:3
[30604.240188] Krnl GPRS: 0000000000000001 001c000018090e00 000000000000005c
000
0000000000004
[30604.240196]            001c000000000000 00000000249b2024 00000000257cb1a0
001
bff8000000000
[30604.240204]            0000000000000001 0000000000000001 0000000000000000
000
00000257cb1e0
[30604.240213]            0000000025d8d070 00000000973502c0 00000000255ca856
001
bff80041af730
[30604.240231] Krnl Code: 00000000255ca84c: b9040031 lgr %r3,%r1

Code starting with the faulting instruction
===========================================
[30604.240231]            00000000255ca850: c0e5ffffbbfc        brasl  
%r14,000
00000255c2048
[30604.240231]           #00000000255ca856: af000000            mc      0,0
[30604.240231]           >00000000255ca85a: 0707                bcr     0,%r7
[30604.240231]            00000000255ca85c: 0707                bcr     0,%r7
[30604.240231]            00000000255ca85e: 0707                bcr     0,%r7
[30604.240231]            00000000255ca860: c0040007b0a4        brcl   
0,000000
00256c09a8
[30604.240231]            00000000255ca866: eb6ff0480024        stmg   
%r6,%r15
,72(%r15)
[30604.240369] Call Trace:
[30604.240375] usercopy_abort (??:?) 
[30604.240382] usercopy_abort (mm/usercopy.c:101 (discriminator 24)) 
[30604.240400] check_heap_object (mm/usercopy.c:180) 
[30604.240409] __check_object_size (mm/usercopy.c:123 mm/usercopy.c:255
mm/usercopy.c:214) 
[30604.240415] filldir64 (./include/linux/uaccess.h:108 fs/readdir.c:339) 
[30604.240424] xfs_dir2_leaf_getdents (./include/linux/fs.h:3430
fs/xfs/xfs_dir2_readdir.c:472) xfs
[30604.240830] xfs_readdir (fs/xfs/xfs_dir2_readdir.c:547) xfs
[30604.241036] iterate_dir (fs/readdir.c:65) 
[30604.241042] __do_sys_getdents64 (fs/readdir.c:369) 
[30604.241047] do_syscall (arch/s390/kernel/syscall.c:144 (discriminator 1)) 
[30604.241053] __do_syscall (arch/s390/kernel/syscall.c:169) 
[30604.241058] system_call (arch/s390/kernel/entry.S:335) 
[30604.241064] INFO: lockdep is turned off.
[30604.241067] Last Breaking-Event-Address:
[30604.241070] _printk (kernel/printk/printk.c:2426) 
[30604.241077] ---[ end trace 0000000000000000 ]---
[30609.984847] usercopy: Kernel memory exposure attempt detected from vmalloc
'n
o area' (offset 0, size 1)!
[30609.984894] ------------[ cut here ]------------
[30609.984896] kernel BUG at mm/usercopy.c:101!
[30609.984945] monitor event: 0040 ilc:2 [#2] SMP
[30609.984984] Modules linked in: ext2 overlay dm_zero dm_log_writes
dm_thin_poo
l dm_persistent_data dm_bio_prison sd_mod t10_pi crc64_rocksoft_generic crc64_r
cksoft crc64 sg dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey tls loop lcs
ct
cm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill vfio_ccw mdev
vfio_iommu_type1
zcrypt_cex4 vfio sunrpc drm i2c_core fb fuse font drm_panel_orientation_quirks
xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha3_256_s390
qeth
_l2 bridge stp llc dasd_eckd_mod dasd_mod qeth qdio ccwgroup dm_mirror
dm_region
_hash dm_log dm_mod pkey zcrypt [last unloaded: scsi_debug]
5.18.0+ #1
[30609.985151] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
[30609.985211] Krnl PSW : 0704d00180000000 00000000255ca85a
(usercopy_abort+0xaa
/0xb0)
[30609.985249]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
RI:
0 EA:3
[30609.985258] Krnl GPRS: 0000000000000001 001c000018090e00 000000000000005c
000
0000000000004
[30609.985264]            001c000000000000 00000000249b2024 00000000257cb1a0
001
bff8000000000
[30609.985271]            0000000000000001 0000000000000001 0000000000000000
000
00000257cb1e0
[30609.985276]            0000000025d8d070 00000000a2d652c0 00000000255ca856
001
bff800810f668
[30609.985293] Krnl Code: 00000000255ca84c: b9040031 lgr %r3,%r1

Code starting with the faulting instruction
===========================================
[30609.985293]            00000000255ca850: c0e5ffffbbfc        brasl  
%r14,000
00000255c2048
[30609.985293]           #00000000255ca856: af000000            mc      0,0
[30609.985293]           >00000000255ca85a: 0707                bcr     0,%r7
[30609.985293]            00000000255ca85c: 0707                bcr     0,%r7
[30609.985293]            00000000255ca85e: 0707                bcr     0,%r7
[30609.985293]            00000000255ca860: c0040007b0a4        brcl   
0,000000
00256c09a8
[30609.985293]            00000000255ca866: eb6ff0480024        stmg   
%r6,%r15
,72(%r15)
[30609.985340] Call Trace:
[30609.985345] usercopy_abort (??:?) 
[30609.985352] usercopy_abort (mm/usercopy.c:101 (discriminator 24)) 
[30609.985358] check_heap_object (mm/usercopy.c:180) 
[30609.985367] __check_object_size (mm/usercopy.c:123 mm/usercopy.c:255
mm/usercopy.c:214) 
[30609.985374] filldir64 (./include/linux/uaccess.h:108 fs/readdir.c:339) 
[30609.985383] xfs_dir2_leaf_getdents (./include/linux/fs.h:3430
fs/xfs/xfs_dir2_readdir.c:472) xfs
[30609.985780] xfs_readdir (fs/xfs/xfs_dir2_readdir.c:547) xfs
[30609.986002] iterate_dir (fs/readdir.c:65) 
[30609.986009] __do_sys_getdents64 (fs/readdir.c:369) 
[30609.986017] do_syscall (arch/s390/kernel/syscall.c:144 (discriminator 1)) 
[30609.986026] __do_syscall (arch/s390/kernel/syscall.c:169) 
[30609.986033] system_call (arch/s390/kernel/entry.S:335) 
[30609.986041] INFO: lockdep is turned off.
[30609.986046] Last Breaking-Event-Address:
[30609.986050] _printk (kernel/printk/printk.c:2426) 
[30609.986059] ---[ end trace 0000000000000000 ]---
[30610.050449] XFS (loop0): Unmounting Filesystem

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching someone on the CC list of the bug.

next prev parent reply	other threads:[~2022-06-05  5:32 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <bug-216073-201763@https.bugzilla.kernel.org/>
2022-06-05  1:01 ` [Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)! bugzilla-daemon
2022-06-05  5:32 ` bugzilla-daemon [this message]
2022-06-06 22:13 ` bugzilla-daemon
2022-06-07 15:05 ` bugzilla-daemon
2022-06-08  2:19 ` bugzilla-daemon
2022-06-08 19:13 ` bugzilla-daemon
2022-06-09  2:49 ` bugzilla-daemon
2022-06-11 10:19 ` bugzilla-daemon
2022-06-11 20:26 ` bugzilla-daemon
2022-06-12  4:42 ` bugzilla-daemon
2022-06-12 11:59 ` bugzilla-daemon
2022-06-12 13:03 ` bugzilla-daemon
2022-06-12 17:26 ` bugzilla-daemon
2022-06-12 18:00 ` bugzilla-daemon
2022-06-12 18:05 ` bugzilla-daemon
2022-06-12 18:44 ` bugzilla-daemon
2022-06-12 19:07 ` bugzilla-daemon
2022-06-12 19:52 ` bugzilla-daemon
2022-06-12 20:53 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-216073-201763-aTV8ZfvA20@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@kernel.org \
    --cc=linux-xfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox