Bug 1373326

Summary: kernel BUG at mm/usercopy.c:75!
Product: [Fedora] Fedora Reporter: Vinson Lee <vlee>
Component: kernelAssignee: Neil Horman <nhorman>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, ichavero, itamar, jonathan, kernel-maint, labbott, madhu.chinakonda, mchehab, nhorman, vlee
Target Milestone: ---Flags: vlee: needinfo-
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-18 14:49:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
4.8.0-0.rc4.git4.1.fc26.x86_64 kernel log none

Description Vinson Lee 2016-09-06 02:30:37 UTC 
Description of problem:
kernel BUG at mm/usercopy.c:75!

Version-Release number of selected component (if applicable):
kernel-4.8.0-0.rc4.git4.1.fc26.x86_64

How reproducible:

Steps to Reproduce:
1. boot
2.
3.

Actual results:

------------[ cut here ]------------
kernel BUG at mm/usercopy.c:75!
invalid opcode: 0000 [#1] SMP
Modules linked in: xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security ebtable_filter ebtables ip6table_filter ip6_tables bnep vmw_vsock_vmci_transport vsock snd_seq_midi snd_seq_midi_event intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ppdev ghash_clmulni_intel btusb intel_rapl_perf uvcvideo btrtl btbcm btintel vmw_balloon snd_ens1371 gameport videobuf2_vmalloc snd_rawmidi videobuf2_memops bluetooth
 videobuf2_v4l2 snd_ac97_codec videobuf2_core ac97_bus videodev snd_seq snd_seq_device media snd_pcm rfkill joydev snd_timer snd soundcore vmw_vmci shpchp nfit i2c_piix4 parport_pc parport acpi_cpufreq tpm_tis tpm_tis_core tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc crc32c_intel serio_raw vmwgfx drm_kms_helper e1000 ttm mptspi scsi_transport_spi drm mptscsih ata_generic mptbase pata_acpi fjes
CPU: 0 PID: 1268 Comm: gnome-shell Not tainted 4.8.0-0.rc4.git4.1.fc26.x86_64 #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
task: ffff9394e8568000 task.stack: ffff9394cece8000
RIP: 0010:[<ffffffffa629eea1>]  [<ffffffffa629eea1>] __check_object_size+0x111/0x47a
RSP: 0018:ffff9394cecebc10  EFLAGS: 00010282
RAX: 000000000000006c RBX: ffff9394e6800000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9394ed7ce2a8 RDI: ffff9394ed7ce2a8
RBP: ffff9394cecebc58 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000001128
R13: 0000000000000000 R14: ffff9394e6801128 R15: 000003fffff00000
FS:  00007f5a72ac4ac0(0000) GS:ffff9394ed600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000558bcb39db08 CR3: 000000004ee6b000 CR4: 00000000003406f0
Stack:
 ffff9394e8568000 0000558bcb3086e0 ffff9394e72c0000 ffff9394e6801127
 ffff9394e72c0000 0000558bcb3086e0 ffff9394e72c0000 ffff9394e6800000
 0000000000001128 ffff9394cecebd90 ffffffffc0369eec 0000000000000246
Call Trace:
 [<ffffffffc0369eec>] vmw_execbuf_process+0x97c/0x1370 [vmwgfx]
 [<ffffffffc02e9138>] ? __ttm_read_lock+0x48/0x90 [ttm]
 [<ffffffffc02e95a6>] ? ttm_read_lock.part.1+0x46/0xd0 [ttm]
 [<ffffffffa6237283>] ? __might_fault+0x43/0xa0
 [<ffffffffc02e965c>] ? ttm_read_lock+0x2c/0xd0 [ttm]
 [<ffffffffc036aa72>] vmw_execbuf_ioctl+0x142/0x1b0 [vmwgfx]
 [<ffffffffc036e971>] vmw_generic_ioctl+0x251/0x290 [vmwgfx]
 [<ffffffffc036e9e5>] vmw_unlocked_ioctl+0x15/0x20 [vmwgfx]
 [<ffffffffa62ba403>] do_vfs_ioctl+0xa3/0x720
 [<ffffffffa62c7c85>] ? __fget+0x5/0x200
 [<ffffffffa62baaf9>] SyS_ioctl+0x79/0x90
 [<ffffffffa68fadbc>] entry_SYSCALL_64_fastpath+0x1f/0xbd
Code: 36 02 00 00 49 c7 c0 dc f9 c7 a6 48 c7 c2 5b 78 c5 a6 48 c7 c6 4d 20 c7 a6 4d 89 e1 48 89 d9 48 c7 c7 80 b3 c7 a6 e8 59 71 f5 ff <0f> 0b 4c 8b 75 b8 48 8b 5d c8 45 89 fd 4c 8b 65 c0 4c 89 e6 48 
RIP  [<ffffffffa629eea1>] __check_object_size+0x111/0x47a
 RSP <ffff9394cecebc10>
---[ end trace 638c903d059d8786 ]---

Expected results:


Additional info:
Comment 1 Laura Abbott 2016-09-06 16:31:45 UTC 
Hardened usercopy caught something, can you share the full kernel log
Comment 2 Vinson Lee 2016-09-06 18:53:31 UTC 
Created attachment 1198401 [details]
4.8.0-0.rc4.git4.1.fc26.x86_64 kernel log
Comment 3 Neil Horman 2016-10-18 14:07:41 UTC 
Looks like a failure on copy_from_user, specifically vmware tried to preform a copy_from_user of more thana page worth of data to a heap allocated space allocated via vmalloc.

Upstream, this shouldn't be a problem as vmalloc addresses shouldn't be tested page spanning, as per commit 8e1f74ea02cf4562404c48c6882214821552c13f.  Thats not available to 4.8-rc6.  I can backport it if you like, or we can just wait for the update. Let me know what you would like to do
Comment 4 Laura Abbott 2016-10-18 14:49:35 UTC 
This is available in the current rawhide release.