Description of problem: kernel BUG at mm/usercopy.c:75! Version-Release number of selected component (if applicable): kernel-4.8.0-0.rc4.git4.1.fc26.x86_64 How reproducible: Steps to Reproduce: 1. boot 2. 3. Actual results: ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:75! invalid opcode: 0000 [#1] SMP Modules linked in: xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security ebtable_filter ebtables ip6table_filter ip6_tables bnep vmw_vsock_vmci_transport vsock snd_seq_midi snd_seq_midi_event intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ppdev ghash_clmulni_intel btusb intel_rapl_perf uvcvideo btrtl btbcm btintel vmw_balloon snd_ens1371 gameport videobuf2_vmalloc snd_rawmidi videobuf2_memops bluetooth videobuf2_v4l2 snd_ac97_codec videobuf2_core ac97_bus videodev snd_seq snd_seq_device media snd_pcm rfkill joydev snd_timer snd soundcore vmw_vmci shpchp nfit i2c_piix4 parport_pc parport acpi_cpufreq tpm_tis tpm_tis_core tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc crc32c_intel serio_raw vmwgfx drm_kms_helper e1000 ttm mptspi scsi_transport_spi drm mptscsih ata_generic mptbase pata_acpi fjes CPU: 0 PID: 1268 Comm: gnome-shell Not tainted 4.8.0-0.rc4.git4.1.fc26.x86_64 #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 task: ffff9394e8568000 task.stack: ffff9394cece8000 RIP: 0010:[<ffffffffa629eea1>] [<ffffffffa629eea1>] __check_object_size+0x111/0x47a RSP: 0018:ffff9394cecebc10 EFLAGS: 00010282 RAX: 000000000000006c RBX: ffff9394e6800000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9394ed7ce2a8 RDI: ffff9394ed7ce2a8 RBP: ffff9394cecebc58 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000001128 R13: 0000000000000000 R14: ffff9394e6801128 R15: 000003fffff00000 FS: 00007f5a72ac4ac0(0000) GS:ffff9394ed600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000558bcb39db08 CR3: 000000004ee6b000 CR4: 00000000003406f0 Stack: ffff9394e8568000 0000558bcb3086e0 ffff9394e72c0000 ffff9394e6801127 ffff9394e72c0000 0000558bcb3086e0 ffff9394e72c0000 ffff9394e6800000 0000000000001128 ffff9394cecebd90 ffffffffc0369eec 0000000000000246 Call Trace: [<ffffffffc0369eec>] vmw_execbuf_process+0x97c/0x1370 [vmwgfx] [<ffffffffc02e9138>] ? __ttm_read_lock+0x48/0x90 [ttm] [<ffffffffc02e95a6>] ? ttm_read_lock.part.1+0x46/0xd0 [ttm] [<ffffffffa6237283>] ? __might_fault+0x43/0xa0 [<ffffffffc02e965c>] ? ttm_read_lock+0x2c/0xd0 [ttm] [<ffffffffc036aa72>] vmw_execbuf_ioctl+0x142/0x1b0 [vmwgfx] [<ffffffffc036e971>] vmw_generic_ioctl+0x251/0x290 [vmwgfx] [<ffffffffc036e9e5>] vmw_unlocked_ioctl+0x15/0x20 [vmwgfx] [<ffffffffa62ba403>] do_vfs_ioctl+0xa3/0x720 [<ffffffffa62c7c85>] ? __fget+0x5/0x200 [<ffffffffa62baaf9>] SyS_ioctl+0x79/0x90 [<ffffffffa68fadbc>] entry_SYSCALL_64_fastpath+0x1f/0xbd Code: 36 02 00 00 49 c7 c0 dc f9 c7 a6 48 c7 c2 5b 78 c5 a6 48 c7 c6 4d 20 c7 a6 4d 89 e1 48 89 d9 48 c7 c7 80 b3 c7 a6 e8 59 71 f5 ff <0f> 0b 4c 8b 75 b8 48 8b 5d c8 45 89 fd 4c 8b 65 c0 4c 89 e6 48 RIP [<ffffffffa629eea1>] __check_object_size+0x111/0x47a RSP <ffff9394cecebc10> ---[ end trace 638c903d059d8786 ]--- Expected results: Additional info:
Hardened usercopy caught something, can you share the full kernel log
Created attachment 1198401 [details] 4.8.0-0.rc4.git4.1.fc26.x86_64 kernel log
Looks like a failure on copy_from_user, specifically vmware tried to preform a copy_from_user of more thana page worth of data to a heap allocated space allocated via vmalloc. Upstream, this shouldn't be a problem as vmalloc addresses shouldn't be tested page spanning, as per commit 8e1f74ea02cf4562404c48c6882214821552c13f. Thats not available to 4.8-rc6. I can backport it if you like, or we can just wait for the update. Let me know what you would like to do
This is available in the current rawhide release.