From: bugzilla-daemon@kernel.org
To: linux-xfs@vger.kernel.org
Subject: [Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)!
Date: Mon, 06 Jun 2022 22:13:14 +0000 [thread overview]
Message-ID: <bug-216073-201763-bZMTj6K6Vb@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-216073-201763@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=216073
--- Comment #3 from Andrew Morton (akpm@linux-foundation.org) ---
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Sun, 05 Jun 2022 01:00:15 +0000 bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=216073
>
> Bug ID: 216073
> Summary: [s390x] kernel BUG at mm/usercopy.c:101! usercopy:
> Kernel memory exposure attempt detected from vmalloc
> 'n o area' (offset 0, size 1)!
> Product: Memory Management
> Version: 2.5
> Kernel Version: 5.19-rc0
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Other
> Assignee: akpm@linux-foundation.org
> Reporter: zlang@redhat.com
> Regression: No
>
> Recently xfstests on s390x always hit below kernel BUG:
> usercopy: Kernel memory exposure attempt detected from vmalloc 'no area'
> (offset 0, size 1)!
Thanks. Do you know if this is specific to s390?
> It's reproducible on xfs with default mkfs options. But it's easier and 100%
> reproducible (for me) on xfs with 64k directory block size (-n size=65536).
>
> The kernel HEAD commit is:
> commit 032dcf09e2bf7c822be25b4abef7a6c913870d98
> Author: Linus Torvalds <torvalds@linux-foundation.org>
> Date: Fri Jun 3 20:01:25 2022 -0700
>
> Merge tag 'gpio-fixes-for-v5.19-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux
>
>
> [20797.425894] XFS (loop1): Mounting V5 Filesystem
> [20797.433354] XFS (loop1): Ending clean mount
> [20823.669300] usercopy: Kernel memory exposure attempt detected from vmalloc
> 'n
> o area' (offset 0, size 1)!
> [20823.669339] ------------[ cut here ]------------
> [20823.669340] kernel BUG at mm/usercopy.c:101!
> [20823.669385] monitor event: 0040 ilc:2 [#1] SMP
> [20823.669415] Modules linked in: ext2 overlay dm_zero dm_log_writes
> dm_thin_poo
> l dm_persistent_data dm_bio_prison sd_mod t10_pi crc64_rocksoft_generic
> crc64_ro
> cksoft crc64 sg dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey tls loop lcs
> ct
> cm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill sunrpc vfio_ccw mdev
> vfio_iomm
> u_type1 zcrypt_cex4 vfio drm fuse i2c_core fb font
> drm_panel_orientation_quirks
> xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha3_256_s390
> dasd
> _eckd_mod dasd_mod qeth_l2 bridge stp llc qeth qdio ccwgroup dm_mirror
> dm_region
> _hash dm_log dm_mod pkey zcrypt [last unloaded: scsi_debug]
> [20823.669520] CPU: 0 PID: 3774731 Comm: rm Kdump: loaded Tainted: G B W
> 5.18.0+ #1
> [20823.669530] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
> [20823.672501] Krnl PSW : 0704d00180000000 000000009df4a85a
> (usercopy_abort+0xaa
> /0xb0)
> [20823.672564] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
> RI:
> 0 EA:3
> [20823.672575] Krnl GPRS: 0000000000000001 001c000018090e00 000000000000005c
> 000
> 0000000000004
> [20823.672584] 001c000000000000 000000009d332024 000000009e14b1a0
> 001
> bff8000000000
> [20823.672593] 0000000000000001 0000000000000001 0000000000000000
> 000
> 000009e14b1e0
> [20823.672601] 000000009e70d070 00000000a87bdac0 000000009df4a856
> 001
> bff8001f5f720
> [20823.672621] Krnl Code: 000000009df4a84c: b9040031 lgr
> %r3,%r1
> [20823.672621] 000000009df4a850: c0e5ffffbbfc brasl
> %r14,000
> 000009df42048
> [20823.672621] #000000009df4a856: af000000 mc 0,0
> [20823.672621] >000000009df4a85a: 0707 bcr 0,%r7
> [20823.672621] 000000009df4a85c: 0707 bcr 0,%r7
> [20823.672621] 000000009df4a85e: 0707 bcr 0,%r7
> [20823.672621] 000000009df4a860: c0040007b0a4 brcl
> 0,000000
> 009e0409a8
> [20823.672621] 000000009df4a866: eb6ff0480024 stmg
> %r6,%r15
> ,72(%r15)
> [20823.672789] Call Trace:
> [20823.672794] [<000000009df4a85a>] usercopy_abort+0xaa/0xb0
> [20823.672817] ([<000000009df4a856>] usercopy_abort+0xa6/0xb0)
> [20823.672825] [<000000009cd30c34>] check_heap_object+0x474/0x480
> [20823.672833] [<000000009cd30cb4>] __check_object_size+0x74/0x150
> [20823.672840] [<000000009cd8de06>] filldir64+0x296/0x530
> [20823.672849] [<001bffff805957dc>] xfs_dir2_leaf_getdents+0x40c/0xca0 [xfs]
> [20823.673277] [<001bffff80596e18>] xfs_readdir+0x3f8/0x740 [xfs]
> [20823.673522] [<000000009cd8c7ac>] iterate_dir+0x41c/0x580
> [20823.673529] [<000000009cd8d6b4>] __do_sys_getdents64+0xc4/0x1c0
> [20823.673537] [<000000009c4bda8c>] do_syscall+0x22c/0x330
> [20823.673546] [<000000009df5e8be>] __do_syscall+0xce/0xf0
> [20823.673554] [<000000009df87402>] system_call+0x82/0xb0
> [20823.673563] INFO: lockdep is turned off.
> [20823.673568] Last Breaking-Event-Address:
> [20823.673572] [<000000009df420f4>] _printk+0xac/0xb8
> [20823.673581] ---[ end trace 0000000000000000 ]---
> [20829.875273] usercopy: Kernel memory exposure attempt detected from vmalloc
> 'n
> o area' (offset 0, size 1)!
> [20829.875316] ------------[ cut here ]------------
> [20829.875318] kernel BUG at mm/usercopy.c:101!
> [20829.875448] monitor event: 0040 ilc:2 [#2] SMP
> [20829.875468] Modules linked in: ext2 overlay dm_zero dm_log_writes
> dm_thin_poo
> l dm_persistent_data dm_bio_prison sd_mod t10_pi crc64_rocksoft_generic
> crc64_r
> cksoft crc64 sg dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey tls loop lcs
> ct
> cm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill sunrpc vfio_ccw mdev
> vfio_iomm
> u_type1 zcrypt_cex4 vfio drm fuse i2c_core fb font
> drm_panel_orientation_quirks
> xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390 sha3_256_s390
> dasd
> _eckd_mod dasd_mod qeth_l2 bridge stp llc qeth qdio ccwgroup dm_mirror
> dm_region
> _hash dm_log dm_mod pkey zcrypt [last unloaded: scsi_debug]
> [20829.875616] CPU: 0 PID: 3776251 Comm: find Kdump: loaded Tainted: G B D
> W
> 5.18.0+ #1
> [20829.875629] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
> [20829.879533] Krnl PSW : 0704d00180000000 000000009df4a85a
> (usercopy_abort+0xaa
> /0xb0)
> [20829.879554] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
> RI:
> 0 EA:3
> [20829.879573] Krnl GPRS: 0000000000000001 001c000018090e00 000000000000005c
> 000
> 0000000000004
> [20829.879578] 001c000000000000 000000009d332024 000000009e14b1a0
> 001
> bff8000000000
> [20829.879583] 0000000000000001 0000000000000001 0000000000000000
> 000
> 000009e14b1e0
> [20829.879587] 000000009e70d070 00000000a21852c0 000000009df4a856
> 001
> bff8004fef728
> [20829.879599] Krnl Code: 000000009df4a84c: b9040031 lgr
> %r3,%r1
> [20829.879599] 000000009df4a850: c0e5ffffbbfc brasl
> %r14,000
> 000009df42048
> [20829.879599] #000000009df4a856: af000000 mc 0,0
> [20829.879599] >000000009df4a85a: 0707 bcr 0,%r7
> [20829.879599] 000000009df4a85c: 0707 bcr 0,%r7
> [20829.879599] 000000009df4a85e: 0707 bcr 0,%r7
> [20829.879599] 000000009df4a860: c0040007b0a4 brcl
> 0,000000
> 009e0409a8
> [20829.879599] 000000009df4a866: eb6ff0480024 stmg
> %r6,%r15
> ,72(%r15)
> [20829.879631] Call Trace:
> [20829.879634] [<000000009df4a85a>] usercopy_abort+0xaa/0xb0
> [20829.879639] ([<000000009df4a856>] usercopy_abort+0xa6/0xb0)
> [20829.879644] [<000000009cd30c34>] check_heap_object+0x474/0x480
> [20829.879650] [<000000009cd30cb4>] __check_object_size+0x74/0x150
> [20829.879654] [<000000009cd8de06>] filldir64+0x296/0x530
> [20829.879661] [<001bffff805957dc>] xfs_dir2_leaf_getdents+0x40c/0xca0 [xfs]
> [20829.879971] [<001bffff80596e18>] xfs_readdir+0x3f8/0x740 [xfs]
> [20829.880107] [<000000009cd8c7ac>] iterate_dir+0x41c/0x580
> [20829.880112] [<000000009cd8d6b4>] __do_sys_getdents64+0xc4/0x1c0
> [20829.880117] [<000000009c4bda8c>] do_syscall+0x22c/0x330
> [20829.880124] [<000000009df5e8be>] __do_syscall+0xce/0xf0
> [20829.880129] [<000000009df87402>] system_call+0x82/0xb0
> [20829.880135] INFO: lockdep is turned off.
> [20829.880138] Last Breaking-Event-Address:
> [20829.880141] [<000000009df420f4>] _printk+0xac/0xb8
> [20829.880148] ---[ end trace 0000000000000000 ]---
> [20829.975537] XFS (loop0): Unmounting Filesystem
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are the assignee for the bug.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching someone on the CC list of the bug.
next prev parent reply other threads:[~2022-06-06 22:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-216073-201763@https.bugzilla.kernel.org/>
2022-06-05 1:01 ` [Bug 216073] [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)! bugzilla-daemon
2022-06-05 5:32 ` bugzilla-daemon
2022-06-06 22:13 ` bugzilla-daemon [this message]
2022-06-07 15:05 ` bugzilla-daemon
2022-06-08 2:19 ` bugzilla-daemon
2022-06-08 19:13 ` bugzilla-daemon
2022-06-09 2:49 ` bugzilla-daemon
2022-06-11 10:19 ` bugzilla-daemon
2022-06-11 20:26 ` bugzilla-daemon
2022-06-12 4:42 ` bugzilla-daemon
2022-06-12 11:59 ` bugzilla-daemon
2022-06-12 13:03 ` bugzilla-daemon
2022-06-12 17:26 ` bugzilla-daemon
2022-06-12 18:00 ` bugzilla-daemon
2022-06-12 18:05 ` bugzilla-daemon
2022-06-12 18:44 ` bugzilla-daemon
2022-06-12 19:07 ` bugzilla-daemon
2022-06-12 19:52 ` bugzilla-daemon
2022-06-12 20:53 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-216073-201763-bZMTj6K6Vb@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.