Bug 1373326 - kernel BUG at mm/usercopy.c:75!
Summary: kernel BUG at mm/usercopy.c:75!
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Neil Horman
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2016-09-06 02:30 UTC by Vinson Lee
Modified: 2016-12-27 07:42 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-10-18 14:49:35 UTC
Type: Bug
vlee: needinfo-

Attachments (Terms of Use)
4.8.0-0.rc4.git4.1.fc26.x86_64 kernel log (125.32 KB, text/plain)
2016-09-06 18:53 UTC, Vinson Lee
no flags Details

Description Vinson Lee 2016-09-06 02:30:37 UTC
Description of problem:
kernel BUG at mm/usercopy.c:75!

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. boot

Actual results:

------------[ cut here ]------------
kernel BUG at mm/usercopy.c:75!
invalid opcode: 0000 [#1] SMP
Modules linked in: xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security ebtable_filter ebtables ip6table_filter ip6_tables bnep vmw_vsock_vmci_transport vsock snd_seq_midi snd_seq_midi_event intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ppdev ghash_clmulni_intel btusb intel_rapl_perf uvcvideo btrtl btbcm btintel vmw_balloon snd_ens1371 gameport videobuf2_vmalloc snd_rawmidi videobuf2_memops bluetooth
 videobuf2_v4l2 snd_ac97_codec videobuf2_core ac97_bus videodev snd_seq snd_seq_device media snd_pcm rfkill joydev snd_timer snd soundcore vmw_vmci shpchp nfit i2c_piix4 parport_pc parport acpi_cpufreq tpm_tis tpm_tis_core tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc crc32c_intel serio_raw vmwgfx drm_kms_helper e1000 ttm mptspi scsi_transport_spi drm mptscsih ata_generic mptbase pata_acpi fjes
CPU: 0 PID: 1268 Comm: gnome-shell Not tainted 4.8.0-0.rc4.git4.1.fc26.x86_64 #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
task: ffff9394e8568000 task.stack: ffff9394cece8000
RIP: 0010:[<ffffffffa629eea1>]  [<ffffffffa629eea1>] __check_object_size+0x111/0x47a
RSP: 0018:ffff9394cecebc10  EFLAGS: 00010282
RAX: 000000000000006c RBX: ffff9394e6800000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9394ed7ce2a8 RDI: ffff9394ed7ce2a8
RBP: ffff9394cecebc58 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000001128
R13: 0000000000000000 R14: ffff9394e6801128 R15: 000003fffff00000
FS:  00007f5a72ac4ac0(0000) GS:ffff9394ed600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000558bcb39db08 CR3: 000000004ee6b000 CR4: 00000000003406f0
 ffff9394e8568000 0000558bcb3086e0 ffff9394e72c0000 ffff9394e6801127
 ffff9394e72c0000 0000558bcb3086e0 ffff9394e72c0000 ffff9394e6800000
 0000000000001128 ffff9394cecebd90 ffffffffc0369eec 0000000000000246
Call Trace:
 [<ffffffffc0369eec>] vmw_execbuf_process+0x97c/0x1370 [vmwgfx]
 [<ffffffffc02e9138>] ? __ttm_read_lock+0x48/0x90 [ttm]
 [<ffffffffc02e95a6>] ? ttm_read_lock.part.1+0x46/0xd0 [ttm]
 [<ffffffffa6237283>] ? __might_fault+0x43/0xa0
 [<ffffffffc02e965c>] ? ttm_read_lock+0x2c/0xd0 [ttm]
 [<ffffffffc036aa72>] vmw_execbuf_ioctl+0x142/0x1b0 [vmwgfx]
 [<ffffffffc036e971>] vmw_generic_ioctl+0x251/0x290 [vmwgfx]
 [<ffffffffc036e9e5>] vmw_unlocked_ioctl+0x15/0x20 [vmwgfx]
 [<ffffffffa62ba403>] do_vfs_ioctl+0xa3/0x720
 [<ffffffffa62c7c85>] ? __fget+0x5/0x200
 [<ffffffffa62baaf9>] SyS_ioctl+0x79/0x90
 [<ffffffffa68fadbc>] entry_SYSCALL_64_fastpath+0x1f/0xbd
Code: 36 02 00 00 49 c7 c0 dc f9 c7 a6 48 c7 c2 5b 78 c5 a6 48 c7 c6 4d 20 c7 a6 4d 89 e1 48 89 d9 48 c7 c7 80 b3 c7 a6 e8 59 71 f5 ff <0f> 0b 4c 8b 75 b8 48 8b 5d c8 45 89 fd 4c 8b 65 c0 4c 89 e6 48 
RIP  [<ffffffffa629eea1>] __check_object_size+0x111/0x47a
 RSP <ffff9394cecebc10>
---[ end trace 638c903d059d8786 ]---

Expected results:

Additional info:

Comment 1 Laura Abbott 2016-09-06 16:31:45 UTC
Hardened usercopy caught something, can you share the full kernel log

Comment 2 Vinson Lee 2016-09-06 18:53:31 UTC
Created attachment 1198401 [details]
4.8.0-0.rc4.git4.1.fc26.x86_64 kernel log

Comment 3 Neil Horman 2016-10-18 14:07:41 UTC
Looks like a failure on copy_from_user, specifically vmware tried to preform a copy_from_user of more thana page worth of data to a heap allocated space allocated via vmalloc.

Upstream, this shouldn't be a problem as vmalloc addresses shouldn't be tested page spanning, as per commit 8e1f74ea02cf4562404c48c6882214821552c13f.  Thats not available to 4.8-rc6.  I can backport it if you like, or we can just wait for the update. Let me know what you would like to do

Comment 4 Laura Abbott 2016-10-18 14:49:35 UTC
This is available in the current rawhide release.

Note You need to log in before you can comment on or make changes to this bug.