While running LTP tests (getpid02) on a Power10 server booted with
6.6.0-rc6-next-20231016 following crash was seen:
[ 76.386628] Kernel attempted to read user page (d8) - exploit attempt? (uid: 0)
[ 76.386649] BUG: Kernel NULL pointer dereference on read at 0x000000d8
[ 76.386653] Faulting instruction address: 0xc0000000004cda90
[ 76.386658] Oops: Kernel access of bad area, sig: 11 [#1]
[ 76.386661] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries
[ 76.386667] Modules linked in: rpadlpar_io rpaphp xsk_diag nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 bonding rfkill tls ip_set nf_tables nfnetlink sunrpc pseries_rng vmx_crypto aes_gcm_p10_crypto binfmt_misc xfs libcrc32c sd_mod t10_pi sr_mod cdrom crc64_rocksoft crc64 sg ibmvscsi ibmveth scsi_transport_srp fuse
[ 76.386709] CPU: 22 PID: 5763 Comm: getpid02 Kdump: loaded Not tainted 6.6.0-rc6-next-20231016 #3
[ 76.386713] Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1030.20 (NH1030_058) hv:phyp pSeries
[ 76.386718] NIP: c0000000004cda90 LR: c0000000004cd840 CTR: 0000000000000000
[ 76.386721] REGS: c0000001f491b840 TRAP: 0300 Not tainted (6.6.0-rc6-next-20231016)
[ 76.386724] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 48082804 XER: 00000000
[ 76.386733] CFAR: c0000000004cd848 DAR: 00000000000000d8 DSISR: 40000000 IRQMASK: 0
[ 76.386733] GPR00: c0000000004cd840 c0000001f491bae0 c000000001471a00 0000000000000000
[ 76.386733] GPR04: 00000000000000fb 0000000000000000 0000000000000000 0000000000000001
[ 76.386733] GPR08: 00000000000001c4 c0000001fb8aa830 c0000001e5140d00 c0000001eccfac00
[ 76.386733] GPR12: 000000000000001f c000000e87bf7300 0000000000000000 0000000000000000
[ 76.386733] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 76.386733] GPR20: 00007fff9944ffff 0000000000000000 c0000001e86bdd60 c0000001e86be8e0
[ 76.386733] GPR24: 0000000000000001 0000000000000001 0000000000000001 0000000000000000
[ 76.386733] GPR28: 00000000000000fb c0000001e5140d00 00007fff99440000 c0000001fb8aa830
[ 76.386773] NIP [c0000000004cda90] mmap_region+0x8b0/0xb30
[ 76.386781] LR [c0000000004cd840] mmap_region+0x660/0xb30
[ 76.386784] Call Trace:
[ 76.386786] [c0000001f491bae0] [c0000000004cd840] mmap_region+0x660/0xb30 (unreliable)
[ 76.386791] [c0000001f491bc10] [c0000000004ce0dc] do_mmap+0x3cc/0x5c0
[ 76.386794] [c0000001f491bca0] [c000000000486724] vm_mmap_pgoff+0x134/0x240
[ 76.386800] [c0000001f491bd80] [c0000000004c98a8] ksys_mmap_pgoff+0x158/0x2b0
[ 76.386806] [c0000001f491bdf0] [c000000000011834] do_mmap2+0x54/0xc0
[ 76.386811] [c0000001f491be10] [c000000000036624] system_call_exception+0x134/0x330
[ 76.386817] [c0000001f491be50] [c00000000000d6a0] system_call_common+0x160/0x2e4
[ 76.386822] --- interrupt: c00 at 0x7fff9932ff68
[ 76.386825] NIP: 00007fff9932ff68 LR: 0000000010005074 CTR: 0000000000000000
[ 76.386828] REGS: c0000001f491be80 TRAP: 0c00 Not tainted (6.6.0-rc6-next-20231016)
[ 76.386831] MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 24002204 XER: 00000000
[ 76.386840] IRQMASK: 0
[ 76.386840] GPR00: 000000000000005a 00007fffd709f9f0 00007fff99407300 0000000000000000
[ 76.386840] GPR04: 0000000000000004 0000000000000003 0000000000000021 ffffffffffffffff
[ 76.386840] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 76.386840] GPR12: 0000000000000000 00007fff994ea3d0 0000000000000000 0000000000000000
[ 76.386840] GPR16: ffffffffffffffff 0000000010034498 0000000010034be8 00000000100336a8
[ 76.386840] GPR20: 0000000010034ba8 0000000000000001 000000001007c418 0000000010033770
[ 76.386840] GPR24: 0000000000000000 0000000000000000 0000000010034bd0 000000001007c438
[ 76.386840] GPR28: 0000000010061c88 00007fffd70afed5 000000001007c438 0000000010033770
[ 76.386876] NIP [00007fff9932ff68] 0x7fff9932ff68
[ 76.386879] LR [0000000010005074] 0x10005074
[ 76.386881] --- interrupt: c00
[ 76.386883] Code: 73890008 4082012c e93f0020 3b000000 fb7f0078 4bfffc74 60000000 60000000 e87f0088 3b000000 4bffff20 60000000 <e93b00d8> 39490044 7d005028 3108ffff [ 76.386896] ---[ end trace 0000000000000000 ]---
[ 76.388667] pstore: backend (nvram) writing error (-1)
Git bisect points to following patch
commit 1db41d29b79ad271674081c752961edd064bbbac
mm: perform the mapping_map_writable() check after call_mmap()
Reverting the patch allows the test to complete.
- Sachin
On Tue, Oct 17, 2023 at 02:46:07PM +0530, Sachin Sant wrote:
> While running LTP tests (getpid02) on a Power10 server booted with
> 6.6.0-rc6-next-20231016 following crash was seen:
>
> [ 76.386628] Kernel attempted to read user page (d8) - exploit attempt? (uid: 0)
> [ 76.386649] BUG: Kernel NULL pointer dereference on read at 0x000000d8
> [ 76.386653] Faulting instruction address: 0xc0000000004cda90
> [ 76.386658] Oops: Kernel access of bad area, sig: 11 [#1]
[snip]
>
> Git bisect points to following patch
>
> commit 1db41d29b79ad271674081c752961edd064bbbac
> mm: perform the mapping_map_writable() check after call_mmap()
>
> Reverting the patch allows the test to complete.
>
> - Sachin
Hi Sachin,
Thanks for the report but this was triggered in another test previously and
has been fixed already (apologies for the inconvenience!) see [0]. Andrew
took the -fix patch and applied to mm-unstable, this should wend its way to
-next in the meantime.
[0]:https://lore.kernel.org/all/[email protected]/
> On 17-Oct-2023, at 4:35 PM, Lorenzo Stoakes <[email protected]> wrote:
>
> On Tue, Oct 17, 2023 at 02:46:07PM +0530, Sachin Sant wrote:
>> While running LTP tests (getpid02) on a Power10 server booted with
>> 6.6.0-rc6-next-20231016 following crash was seen:
>>
>> [ 76.386628] Kernel attempted to read user page (d8) - exploit attempt? (uid: 0)
>> [ 76.386649] BUG: Kernel NULL pointer dereference on read at 0x000000d8
>> [ 76.386653] Faulting instruction address: 0xc0000000004cda90
>> [ 76.386658] Oops: Kernel access of bad area, sig: 11 [#1]
> [snip]
>>
>> Git bisect points to following patch
>>
>> commit 1db41d29b79ad271674081c752961edd064bbbac
>> mm: perform the mapping_map_writable() check after call_mmap()
>>
>> Reverting the patch allows the test to complete.
>>
>> - Sachin
>
> Hi Sachin,
>
> Thanks for the report but this was triggered in another test previously and
> has been fixed already (apologies for the inconvenience!) see [0]. Andrew
> took the -fix patch and applied to mm-unstable, this should wend its way to
> -next in the meantime.
Ah, thank you. Yes the fix works for me.
- Sachin