From: bugzilla-daemon@kernel.org
To: linux-xfs@vger.kernel.org
Subject: [Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)!
Date: Mon, 06 Jun 2022 22:13:14 +0000 [thread overview]
Message-ID: <bug-216073-201763-bZMTj6K6Vb@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-216073-201763@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=216073
--- Comment #3 from Andrew Morton (akpm@linux-foundation.org) ---
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Sun, 05 Jun 2022 01:00:15 +0000 bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=216073
>
> Bug ID: 216073
> Summary: [s390x] kernel BUG at mm/usercopy.c:101! usercopy:
> Kernel memory exposure attempt detected from vmalloc
> 'n o area' (offset 0, size 1)!
> Product: Memory Management
> Version: 2.5
> Kernel Version: 5.19-rc0
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> Assignee: akpm@linux-foundation.org
> Reporter: zlang@redhat.com
> Regression: No
>
> Recently xfstests on s390x always hit below kernel BUG:
> usercopy: Kernel memory exposure attempt detected from vmalloc 'no area'
> (offset 0, size 1)!
Thanks. Do you know if this is specific to s390?
> It's reproducible on xfs with default mkfs options. But it's easier and 100%
> reproducible (for me) on xfs with 64k directory block size (-n size=65536).
>
> The kernel HEAD commit is:
> commit 032dcf09e2bf7c822be25b4abef7a6c913870d98
> Author: Linus Torvalds <torvalds@linux-foundation.org>
> Date: Fri Jun 3 20:01:25 2022 -0700
>
> Merge tag 'gpio-fixes-for-v5.19-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
>
>
> [20797.425894] XFS (loop1): Mounting V5 Filesystem
> [20797.433354] XFS (loop1): Ending clean mount
> [20823.669300] usercopy: Kernel memory exposure attempt detected from vmalloc
> 'n
> o area' (offset 0, size 1)!
> [20823.669339] ------------[ cut here ]------------
> [20823.669340] kernel BUG at mm/usercopy.c:101!
> [20823.669385] monitor event: 0040 ilc:2 [#1] SMP
> [20823.669415] Modules linked in: ext2 overlay dm_zero dm_log_writes
> dm_thin_poo
> l dm_persistent_data dm_bio_prison sd_mod t10_pi crc64_rocksoft_generic
> crc64_ro
> cksoft crc64 sg dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey tls loop lcs
> ct
> cm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill sunrpc vfio_ccw mdev
> vfio_iomm
> u_type1 zcrypt_cex4 vfio drm fuse i2c_core fb font
> drm_panel_orientation_quirks
> xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha3_256_s390
> dasd
> _eckd_mod dasd_mod qeth_l2 bridge stp llc qeth qdio ccwgroup dm_mirror
> dm_region
> _hash dm_log dm_mod pkey zcrypt [last unloaded: scsi_debug]
> [20823.669520] CPU: 0 PID: 3774731 Comm: rm Kdump: loaded Tainted: G B W
> 5.18.0+ #1
> [20823.669530] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
> [20823.672501] Krnl PSW : 0704d00180000000 000000009df4a85a
> (usercopy_abort+0xaa
> /0xb0)
> [20823.672564] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
> RI:
> 0 EA:3
> [20823.672575] Krnl GPRS: 0000000000000001 001c000018090e00 000000000000005c
> 000
> 0000000000004
> [20823.672584] 001c000000000000 000000009d332024 000000009e14b1a0
> 001
> bff8000000000
> [20823.672593] 0000000000000001 0000000000000001 0000000000000000
> 000
> 000009e14b1e0
> [20823.672601] 000000009e70d070 00000000a87bdac0 000000009df4a856
> 001
> bff8001f5f720
> [20823.672621] Krnl Code: 000000009df4a84c: b9040031 lgr
> %r3,%r1
> [20823.672621] 000000009df4a850: c0e5ffffbbfc brasl
> %r14,000
> 000009df42048
> [20823.672621] #000000009df4a856: af000000 mc 0,0
> [20823.672621] >000000009df4a85a: 0707 bcr 0,%r7
> [20823.672621] 000000009df4a85c: 0707 bcr 0,%r7
> [20823.672621] 000000009df4a85e: 0707 bcr 0,%r7
> [20823.672621] 000000009df4a860: c0040007b0a4 brcl
> 0,000000
> 009e0409a8
> [20823.672621] 000000009df4a866: eb6ff0480024 stmg
> %r6,%r15
> ,72(%r15)
> [20823.672789] Call Trace:
> [20823.672794] [<000000009df4a85a>] usercopy_abort+0xaa/0xb0
> [20823.672817] ([<000000009df4a856>] usercopy_abort+0xa6/0xb0)
> [20823.672825] [<000000009cd30c34>] check_heap_object+0x474/0x480
> [20823.672833] [<000000009cd30cb4>] __check_object_size+0x74/0x150
> [20823.672840] [<000000009cd8de06>] filldir64+0x296/0x530
> [20823.672849] [<001bffff805957dc>] xfs_dir2_leaf_getdents+0x40c/0xca0 [xfs]
> [20823.673277] [<001bffff80596e18>] xfs_readdir+0x3f8/0x740 [xfs]
> [20823.673522] [<000000009cd8c7ac>] iterate_dir+0x41c/0x580
> [20823.673529] [<000000009cd8d6b4>] __do_sys_getdents64+0xc4/0x1c0
> [20823.673537] [<000000009c4bda8c>] do_syscall+0x22c/0x330
> [20823.673546] [<000000009df5e8be>] __do_syscall+0xce/0xf0
> [20823.673554] [<000000009df87402>] system_call+0x82/0xb0
> [20823.673563] INFO: lockdep is turned off.
> [20823.673568] Last Breaking-Event-Address:
> [20823.673572] [<000000009df420f4>] _printk+0xac/0xb8
> [20823.673581] ---[ end trace 0000000000000000 ]---
> [20829.875273] usercopy: Kernel memory exposure attempt detected from vmalloc
> 'n
> o area' (offset 0, size 1)!
> [20829.875316] ------------[ cut here ]------------
> [20829.875318] kernel BUG at mm/usercopy.c:101!
> [20829.875448] monitor event: 0040 ilc:2 [#2] SMP
> [20829.875468] Modules linked in: ext2 overlay dm_zero dm_log_writes
> dm_thin_poo
> l dm_persistent_data dm_bio_prison sd_mod t10_pi crc64_rocksoft_generic
> crc64_r
> cksoft crc64 sg dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey tls loop lcs
> ct
> cm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill sunrpc vfio_ccw mdev
> vfio_iomm
> u_type1 zcrypt_cex4 vfio drm fuse i2c_core fb font
> drm_panel_orientation_quirks
> xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha3_256_s390
> dasd
> _eckd_mod dasd_mod qeth_l2 bridge stp llc qeth qdio ccwgroup dm_mirror
> dm_region
> _hash dm_log dm_mod pkey zcrypt [last unloaded: scsi_debug]
> [20829.875616] CPU: 0 PID: 3776251 Comm: find Kdump: loaded Tainted: G B D
> W
> 5.18.0+ #1
> [20829.875629] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
> [20829.879533] Krnl PSW : 0704d00180000000 000000009df4a85a
> (usercopy_abort+0xaa
> /0xb0)
> [20829.879554] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
> RI:
> 0 EA:3
> [20829.879573] Krnl GPRS: 0000000000000001 001c000018090e00 000000000000005c
> 000
> 0000000000004
> [20829.879578] 001c000000000000 000000009d332024 000000009e14b1a0
> 001
> bff8000000000
> [20829.879583] 0000000000000001 0000000000000001 0000000000000000
> 000
> 000009e14b1e0
> [20829.879587] 000000009e70d070 00000000a21852c0 000000009df4a856
> 001
> bff8004fef728
> [20829.879599] Krnl Code: 000000009df4a84c: b9040031 lgr
> %r3,%r1
> [20829.879599] 000000009df4a850: c0e5ffffbbfc brasl
> %r14,000
> 000009df42048
> [20829.879599] #000000009df4a856: af000000 mc 0,0
> [20829.879599] >000000009df4a85a: 0707 bcr 0,%r7
> [20829.879599] 000000009df4a85c: 0707 bcr 0,%r7
> [20829.879599] 000000009df4a85e: 0707 bcr 0,%r7
> [20829.879599] 000000009df4a860: c0040007b0a4 brcl
> 0,000000
> 009e0409a8
> [20829.879599] 000000009df4a866: eb6ff0480024 stmg
> %r6,%r15
> ,72(%r15)
> [20829.879631] Call Trace:
> [20829.879634] [<000000009df4a85a>] usercopy_abort+0xaa/0xb0
> [20829.879639] ([<000000009df4a856>] usercopy_abort+0xa6/0xb0)
> [20829.879644] [<000000009cd30c34>] check_heap_object+0x474/0x480
> [20829.879650] [<000000009cd30cb4>] __check_object_size+0x74/0x150
> [20829.879654] [<000000009cd8de06>] filldir64+0x296/0x530
> [20829.879661] [<001bffff805957dc>] xfs_dir2_leaf_getdents+0x40c/0xca0 [xfs]
> [20829.879971] [<001bffff80596e18>] xfs_readdir+0x3f8/0x740 [xfs]
> [20829.880107] [<000000009cd8c7ac>] iterate_dir+0x41c/0x580
> [20829.880112] [<000000009cd8d6b4>] __do_sys_getdents64+0xc4/0x1c0
> [20829.880117] [<000000009c4bda8c>] do_syscall+0x22c/0x330
> [20829.880124] [<000000009df5e8be>] __do_syscall+0xce/0xf0
> [20829.880129] [<000000009df87402>] system_call+0x82/0xb0
> [20829.880135] INFO: lockdep is turned off.
> [20829.880138] Last Breaking-Event-Address:
> [20829.880141] [<000000009df420f4>] _printk+0xac/0xb8
> [20829.880148] ---[ end trace 0000000000000000 ]---
> [20829.975537] XFS (loop0): Unmounting Filesystem
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are the assignee for the bug.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching someone on the CC list of the bug.
next prev parent reply other threads:[~2022-06-06 22:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-216073-201763@https.bugzilla.kernel.org/>
2022-06-05 1:01 ` [Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)! bugzilla-daemon
2022-06-05 5:32 ` bugzilla-daemon
2022-06-06 22:13 ` bugzilla-daemon [this message]
2022-06-07 15:05 ` bugzilla-daemon
2022-06-08 2:19 ` bugzilla-daemon
2022-06-08 19:13 ` bugzilla-daemon
2022-06-09 2:49 ` bugzilla-daemon
2022-06-11 10:19 ` bugzilla-daemon
2022-06-11 20:26 ` bugzilla-daemon
2022-06-12 4:42 ` bugzilla-daemon
2022-06-12 11:59 ` bugzilla-daemon
2022-06-12 13:03 ` bugzilla-daemon
2022-06-12 17:26 ` bugzilla-daemon
2022-06-12 18:00 ` bugzilla-daemon
2022-06-12 18:05 ` bugzilla-daemon
2022-06-12 18:44 ` bugzilla-daemon
2022-06-12 19:07 ` bugzilla-daemon
2022-06-12 19:52 ` bugzilla-daemon
2022-06-12 20:53 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-216073-201763-bZMTj6K6Vb@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox