Following kernel crash noticed while booting arm64 devices and qemu-arm64 with kselftest merge configs enabled.
Reported-by: Linux Kernel Functional Testing lkft@linaro.org
crash log: ---------- usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_small_head' (offset 130, size 12)! .. [ 24.673364] ------------[ cut here ]------------ [ 24.673812] kernel BUG at mm/usercopy.c:102! [ 24.674631] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 24.675389] Modules linked in: [ 24.676231] CPU: 3 PID: 1 Comm: systemd Not tainted 6.2.0-rc7-next-20230209 #1 [ 24.676779] Hardware name: linux,dummy-virt (DT) [ 24.677256] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 24.677695] pc : usercopy_abort (mm/usercopy.c:102 (discriminator 24)) [ 24.678470] lr : usercopy_abort (mm/usercopy.c:102 (discriminator 24)) [ 24.678717] sp : ffff80000803bab0 [ 24.678949] x29: ffff80000803bac0 x28: ffff0000c0838040 x27: ffff80000803bc70 [ 24.679618] x26: 0000000000000000 x25: ffff0000c0fe4040 x24: ffff0000c4752000 [ 24.680050] x23: 0000000000000000 x22: 0000000000000020 x21: 0000000000000000 [ 24.680484] x20: ffffc94cf339ac70 x19: ffffc94cf31861b8 x18: 0000000000000000 [ 24.680929] x17: 63656a626f204255 x16: 4c53206f74206465 x15: 7463657465642074 [ 24.681372] x14: 706d657474612065 x13: 2129323320657a69 x12: 0000000000000001 [ 24.681810] x11: ffffc94cf372ba24 x10: 65685f6c6c616d73 x9 : ffffc94cf1184028 [ 24.682299] x8 : ffff80000803b7b8 x7 : ffffc94cf4207170 x6 : 0000000000000001 [ 24.682742] x5 : 0000000000000001 x4 : ffffc94cf4165000 x3 : 0000000000000000 [ 24.683216] x2 : 0000000000000000 x1 : ffff0000c0838040 x0 : 000000000000006a [ 24.683788] Call trace: [ 24.684019] usercopy_abort (mm/usercopy.c:102 (discriminator 24)) [ 24.684346] __check_heap_object (mm/slub.c:4739) [ 24.684621] __check_object_size (mm/usercopy.c:196 mm/usercopy.c:251 mm/usercopy.c:213) [ 24.684883] netlink_sendmsg (include/linux/uio.h:177 include/linux/uio.h:184 include/linux/skbuff.h:3977 net/netlink/af_netlink.c:1927) [ 24.685161] __sys_sendto (net/socket.c:722 net/socket.c:745 net/socket.c:2142) [ 24.685397] __arm64_sys_sendto (net/socket.c:2150) [ 24.685644] invoke_syscall (arch/arm64/include/asm/current.h:19 arch/arm64/kernel/syscall.c:57) [ 24.685891] el0_svc_common.constprop.0 (arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/syscall.c:150) [ 24.686164] do_el0_svc (arch/arm64/kernel/syscall.c:194) [ 24.686401] el0_svc (arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:142 arch/arm64/kernel/entry-common.c:638) [ 24.686602] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:656) [ 24.686862] el0t_64_sync (arch/arm64/kernel/entry.S:591) [ 24.687307] Code: aa1303e3 9000ea60 91300000 97f49682 (d4210000) All code ======== 0:* e3 03 jrcxz 0x5 <-- trapping instruction 2: 13 aa 60 ea 00 90 adc -0x6fff15a0(%rdx),%ebp 8: 00 00 add %al,(%rax) a: 30 91 82 96 f4 97 xor %dl,-0x680b697e(%rcx) 10: 00 00 add %al,(%rax) 12: 21 d4 and %edx,%esp
Code starting with the faulting instruction =========================================== 0: 00 00 add %al,(%rax) 2: 21 d4 and %edx,%esp [ 24.688236] ---[ end trace 0000000000000000 ]--- [ 24.688722] note: systemd[1] exited with irqs disabled [ 24.689588] note: systemd[1] exited with preempt_count 1 [ 24.690331] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 24.690875] SMP: stopping secondary CPUs [ 24.691749] Kernel Offset: 0x494ce9000000 from 0xffff800008000000 [ 24.692103] PHYS_OFFSET: 0x40000000 [ 24.692349] CPU features: 0x000000,0068c25f,3326773f [ 24.692924] Memory Limit: none [ 24.693422] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
detailed boot logs: https://lkft.validation.linaro.org/scheduler/job/6145112#L778 https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230209/tes... https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230209/tes...
metadata: git_ref: master git_repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next git_sha: 20f513df926fac0594a3b65f79d856bd64251861 git_describe: next-20230209 kernel_version: 6.2.0-rc7 kernel-config: https://storage.tuxsuite.com/public/linaro/lkft/builds/2LUB6A6xC34mySgwQ3vPa... artifact-location: https://storage.tuxsuite.com/public/linaro/lkft/builds/2LUB6A6xC34mySgwQ3vPa... toolchain: gcc-11 build_name: gcc-11-lkftconfig-kselftest
-- Linaro LKFT https://lkft.linaro.org
On Thu, Feb 9, 2023 at 9:57 AM Naresh Kamboju naresh.kamboju@linaro.org wrote:
Following kernel crash noticed while booting arm64 devices and qemu-arm64 with kselftest merge configs enabled.
Reported-by: Linux Kernel Functional Testing lkft@linaro.org
crash log:
usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_small_head' (offset 130, size 12)! .. [ 24.673364] ------------[ cut here ]------------ [ 24.673812] kernel BUG at mm/usercopy.c:102! [ 24.674631] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ 24.675389] Modules linked in: [ 24.676231] CPU: 3 PID: 1 Comm: systemd Not tainted 6.2.0-rc7-next-20230209 #1 [ 24.676779] Hardware name: linux,dummy-virt (DT) [ 24.677256] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 24.677695] pc : usercopy_abort (mm/usercopy.c:102 (discriminator 24)) [ 24.678470] lr : usercopy_abort (mm/usercopy.c:102 (discriminator 24)) [ 24.678717] sp : ffff80000803bab0 [ 24.678949] x29: ffff80000803bac0 x28: ffff0000c0838040 x27: ffff80000803bc70 [ 24.679618] x26: 0000000000000000 x25: ffff0000c0fe4040 x24: ffff0000c4752000 [ 24.680050] x23: 0000000000000000 x22: 0000000000000020 x21: 0000000000000000 [ 24.680484] x20: ffffc94cf339ac70 x19: ffffc94cf31861b8 x18: 0000000000000000 [ 24.680929] x17: 63656a626f204255 x16: 4c53206f74206465 x15: 7463657465642074 [ 24.681372] x14: 706d657474612065 x13: 2129323320657a69 x12: 0000000000000001 [ 24.681810] x11: ffffc94cf372ba24 x10: 65685f6c6c616d73 x9 : ffffc94cf1184028 [ 24.682299] x8 : ffff80000803b7b8 x7 : ffffc94cf4207170 x6 : 0000000000000001 [ 24.682742] x5 : 0000000000000001 x4 : ffffc94cf4165000 x3 : 0000000000000000 [ 24.683216] x2 : 0000000000000000 x1 : ffff0000c0838040 x0 : 000000000000006a [ 24.683788] Call trace: [ 24.684019] usercopy_abort (mm/usercopy.c:102 (discriminator 24)) [ 24.684346] __check_heap_object (mm/slub.c:4739) [ 24.684621] __check_object_size (mm/usercopy.c:196 mm/usercopy.c:251 mm/usercopy.c:213) [ 24.684883] netlink_sendmsg (include/linux/uio.h:177 include/linux/uio.h:184 include/linux/skbuff.h:3977 net/netlink/af_netlink.c:1927) [ 24.685161] __sys_sendto (net/socket.c:722 net/socket.c:745 net/socket.c:2142) [ 24.685397] __arm64_sys_sendto (net/socket.c:2150) [ 24.685644] invoke_syscall (arch/arm64/include/asm/current.h:19 arch/arm64/kernel/syscall.c:57) [ 24.685891] el0_svc_common.constprop.0 (arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/syscall.c:150) [ 24.686164] do_el0_svc (arch/arm64/kernel/syscall.c:194) [ 24.686401] el0_svc (arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:142 arch/arm64/kernel/entry-common.c:638) [ 24.686602] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:656) [ 24.686862] el0t_64_sync (arch/arm64/kernel/entry.S:591) [ 24.687307] Code: aa1303e3 9000ea60 91300000 97f49682 (d4210000) All code ======== 0:* e3 03 jrcxz 0x5 <-- trapping instruction 2: 13 aa 60 ea 00 90 adc -0x6fff15a0(%rdx),%ebp 8: 00 00 add %al,(%rax) a: 30 91 82 96 f4 97 xor %dl,-0x680b697e(%rcx) 10: 00 00 add %al,(%rax) 12: 21 d4 and %edx,%esp
Code starting with the faulting instruction
0: 00 00 add %al,(%rax) 2: 21 d4 and %edx,%esp [ 24.688236] ---[ end trace 0000000000000000 ]--- [ 24.688722] note: systemd[1] exited with irqs disabled [ 24.689588] note: systemd[1] exited with preempt_count 1 [ 24.690331] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 24.690875] SMP: stopping secondary CPUs [ 24.691749] Kernel Offset: 0x494ce9000000 from 0xffff800008000000 [ 24.692103] PHYS_OFFSET: 0x40000000 [ 24.692349] CPU features: 0x000000,0068c25f,3326773f [ 24.692924] Memory Limit: none [ 24.693422] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
detailed boot logs: https://lkft.validation.linaro.org/scheduler/job/6145112#L778 https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230209/tes... https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230209/tes...
metadata: git_ref: master git_repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next git_sha: 20f513df926fac0594a3b65f79d856bd64251861 git_describe: next-20230209 kernel_version: 6.2.0-rc7 kernel-config: https://storage.tuxsuite.com/public/linaro/lkft/builds/2LUB6A6xC34mySgwQ3vPa... artifact-location: https://storage.tuxsuite.com/public/linaro/lkft/builds/2LUB6A6xC34mySgwQ3vPa... toolchain: gcc-11 build_name: gcc-11-lkftconfig-kselftest
-- Linaro LKFT https://lkft.linaro.org
This should be fixed when this patch is accepted/merged.
https://patchwork.kernel.org/project/netdevbpf/patch/20230208142508.3278406-...
Thanks.