Ubuntu
linux package

kernel BUG at linux-4.8.0/mm/usercopy.c:75!

Bug #1628686 reported by Vinson Lee
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Won't Fix
Medium
Unassigned

Bug Description

This kernel warning occurs on Ubuntu 16.10 guests with Linux 4.8 on VMware Fusion. The VM will boot but does not make it a graphical display.

usercopy: kernel memory overwrite attempt detected to ffff9bdaf3e00000 (<spans multiple pages>) (4392 bytes)
------------[ cut here ]------------
kernel BUG at /build/linux-FGN3Aj/linux-4.8.0/mm/usercopy.c:75!
invalid opcode: 0000 [#1] SMP
Modules linked in: intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ipmi_msghandler aesni_intel vmw_balloon aes_x86_64 lrw glue_helper ablk_helper cryptd intel_rapl_perf joydev input_leds serio_raw binfmt_misc snd_ens1371 snd_ac97_codec gameport ac97_bus snd_pcm uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core snd_seq_midi videodev snd_seq_midi_event media snd_rawmidi snd_seq snd_seq_device btusb btrtl btbcm snd_timer btintel snd bluetooth soundcore i2c_piix4 vmw_vmci shpchp nfit floppy(+) mac_hid parport_pc ppdev lp parport ip_tables x_tables autofs4 hid_generic usbhid hid vmwgfx ttm psmouse drm_kms_helper syscopyarea sysfillrect ahci libahci e1000 mptspi mptscsih mptbase scsi_transport_spi sysimgblt fb_sys_fops drm pata_acpi fjes
CPU: 0 PID: 1293 Comm: glxinfo Not tainted 4.8.0-17-generic #19-Ubuntu
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
task: ffff9bdb74465580 task.stack: ffff9bdb73f00000
RIP: 0010:[<ffffffff9cc2e421>] [<ffffffff9cc2e421>] __check_object_size+0x111/0x49b
RSP: 0018:ffff9bdb73f03c58 EFLAGS: 00010282
RAX: 000000000000006c RBX: ffff9bdaf3e00000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff9bdb7a60dc68 RDI: ffff9bdb7a60dc68
RBP: ffff9bdb73f03ca0 R08: 79706f6372657375 R09: 656b203a79706f63
R10: 00003fffc0000000 R11: 00000000000006c1 R12: 0000000000001128
R13: 0000000000000000 R14: ffff9bdaf3e01128 R15: ffff9bdaf3e01127
FS: 00007f22f6d20740(0000) GS:ffff9bdb7a600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b6cf2c71c8 CR3: 00000000b3f91000 CR4: 00000000001406f0
Stack:
 ffff9bdb73f16ce8 ffff9bdb73f03ca0 ffffffffc03df765 00003fffc0000000
 ffff9bdaf41c0000 000055b6cf0ca1b0 ffff9bdb73edbc00 ffff9bdaf3e00000
 0000000000001128 ffff9bdb73f03d90 ffffffffc03c6f0f ffff9bdb73f03d08
Call Trace:
 [<ffffffffc03df765>] ? vmw_cmdbuf_alloc+0x175/0x240 [vmwgfx]
 [<ffffffffc03c6f0f>] vmw_execbuf_process+0x8bf/0x1250 [vmwgfx]
 [<ffffffff9cc2e43d>] ? __check_object_size+0x12d/0x49b
 [<ffffffffc0246dd6>] ? drm_ioctl+0x236/0x4f0 [drm]
 [<ffffffff9cbab015>] ? __alloc_pages_nodemask+0x135/0x300
 [<ffffffffc03b0cb4>] ? ttm_read_lock+0x34/0xc0 [ttm]
 [<ffffffffc03c79c6>] vmw_execbuf_ioctl+0xe6/0x180 [vmwgfx]
 [<ffffffffc03cb919>] vmw_generic_ioctl+0x249/0x280 [vmwgfx]
 [<ffffffffc03cb985>] vmw_unlocked_ioctl+0x15/0x20 [vmwgfx]
 [<ffffffff9cc47843>] do_vfs_ioctl+0xa3/0x610
 [<ffffffff9ca6b3b3>] ? __do_page_fault+0x203/0x4d0
 [<ffffffff9cc47e29>] SyS_ioctl+0x79/0x90
 [<ffffffff9d299c76>] entry_SYSCALL_64_fastpath+0x1e/0xa8
Code: 1f 03 00 00 49 c7 c0 86 36 6a 9d 48 c7 c2 30 0b 68 9d 48 c7 c6 4c 8e 69 9d 4d 89 e1 48 89 d9 48 c7 c7 10 03 6a 9d e8 03 05 f7 ff <0f> 0b 4c 8b 75 b8 48 8b 5d d0 45 89 fd 4c 8b 65 c8 4c 89 e6 48
RIP [<ffffffff9cc2e421>] __check_object_size+0x111/0x49b
 RSP <ffff9bdb73f03c58>
---[ end trace 48bce713521eb13e ]---

Disabling CONFIG_HARDENED_USERCOPY_PAGESPAN works around this issue.

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8e1f74ea02cf4562404c48c6882214821552c13f

Vinson Lee (vlee)
affects: netcfg (Ubuntu) → linux (Ubuntu)
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1628686

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Vinson Lee (vlee) wrote :

$ apport-collect 1628686
The authorization page:
[...]
should be opening in your browser. Use your browser to authorize
this program to access Launchpad on your behalf.
Waiting to hear from Launchpad about your decision...
ERROR: connecting to Launchpad failed: local variable 'browser_obj' referenced before assignment

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

The Yakkety kernel in -proposed now has CONFIG_HARDENED_USERCOPY_PAGESPAN disabled.

Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Incomplete → Triaged
tags: added: kernel-da-key yakkety
Revision history for this message
David Lee (ramchyld) wrote :
Download full text (3.7 KiB)

Getting the same error with the Blackmagic Intensity module.

[ 73.553893] ------------[ cut here ]------------
[ 73.553896] kernel BUG at /build/linux-NNryke/linux-4.8.0/mm/usercopy.c:75!
[ 73.553899] invalid opcode: 0000 [#3] SMP
[ 73.553901] Modules linked in: xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp esp4 ah4 af_key xfrm_algo snd_hrtimer binfmt_misc nls_iso8859_1 snd_hda_codec_via snd_hda_codec_generic ir_lirc_codec lirc_dev rc_rc6_mce mceusb kvm_amd kvm irqbypass nvidia_uvm(POE) snd_hda_codec_hdmi input_leds serio_raw blackmagic(POE) k8temp snd_usb_audio snd_usbmidi_lib gspca_sonixj gspca_main v4l2_common videodev media snd_hda_intel snd_ctxfi snd_hda_codec rc_imon_pad imon rc_core snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd shpchp soundcore asus_atk0110 wmi i2c_nforce2 mac_hid nfsd auth_rpcgss nfs_acl lockd grace sunrpc parport_pc ppdev lp parport ip_tables x_tables autofs4 dm_mirror dm_region_hash dm_log btrfs raid10 raid1 raid0 dm_raid raid456
[ 73.553946] async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c pata_acpi nvidia(POE) psmouse firewire_ohci drm forcedeth firewire_core crc_itu_t ahci libahci pata_amd video floppy fjes
[ 73.553961] CPU: 0 PID: 2886 Comm: BlackmagicFirmw Tainted: P D OE 4.8.0-22-generic #24-Ubuntu
[ 73.553963] Hardware name: System manufacturer System Product Name/M4N78 PRO, BIOS 1303 04/13/2011
[ 73.553965] task: ffff939669f39a00 task.stack: ffff9395e0e24000
[ 73.553967] RIP: 0010:[<ffffffffade2e647>] [<ffffffffade2e647>] __check_object_size+0x77/0x1dc
[ 73.553974] RSP: 0018:ffff9395e0e27ca0 EFLAGS: 00010286
[ 73.553976] RAX: 0000000000000063 RBX: ffff9395e0e27d38 RCX: 0000000000000000
[ 73.553978] RDX: 0000000000000000 RSI: ffff939677c0dc68 RDI: ffff939677c0dc68
[ 73.553980] RBP: ffff9395e0e27cc0 R08: 0000000000087388 R09: 0000000000000005
[ 73.553982] R10: ffff9395e0d6d738 R11: 000000000000046c R12: 0000000000000010
[ 73.553984] R13: 0000000000000000 R14: ffff9395e0e27d48 R15: 00007ffc763f0eb0
[ 73.553986] FS: 00007efe82091780(0000) GS:ffff939677c00000(0000) knlGS:0000000000000000
[ 73.553988] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 73.553990] CR2: 00007efe80e75150 CR3: 00000000a0f16000 CR4: 00000000000006f0
[ 73.553992] Stack:
[ 73.553994] ffff9395e0e27d38 0000000000000010 00007ffc763f0eb0 ffff93966715e108
[ 73.553998] ffff9395e0e27ce8 ffffffffc10841eb ffff9395e0e27d38 0000000000010000
[ 73.554001] 0000000000000000 00007ffc763f0eb0 ffffffffc106677a ffff9395d75d7000
[ 73.554004] Call Trace:
[ 73.554067] [<ffffffffc10841eb>] __dl_copy_from_user+0x1b/0x40 [blackmagic]
[ 73.554101] [<ffffffffc106677a>] _ZN18IoctlMessageKernel6unpackEv+0x4a/0x160 [blackmagic]
[ 73.554130] [<ffffffffc103162b>] ? blackmagic_ioctl_private+0x35db/0x4080 [blackmagic]
[ 73.554133] [<ffffffffade444a5>] ? do_filp_open+0xa5/0x100
[ 73.554164] [<ffffffffc1082ff9>] ? blackmagic_ioctl+0x49/0x60 [blackmagic]
[ 73.554167] [<ffffffffade47843>] ? do_vfs_ioctl+0xa3/0x610
[ 73.554171] [<ffffffffade432b4>] ? putname+0x54/0x60
[ 73.554174] [<ff...

Read more...

Revision history for this message
David Lee (ramchyld) wrote :
Download full text (4.1 KiB)

Upgraded to proposed kernel.

Linux helen 4.8.0-25-generic #27-Ubuntu SMP Thu Oct 13 03:34:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Issue still occurs:

[ 75.257763] usercopy: kernel memory overwrite attempt detected to ffff9dfb48493d38 (<process stack>) (16 bytes)
[ 75.257791] ------------[ cut here ]------------
[ 75.257793] kernel BUG at /build/linux-rb6V7L/linux-4.8.0/mm/usercopy.c:75!
[ 75.257795] invalid opcode: 0000 [#3] SMP
[ 75.257797] Modules linked in: xfrm_user xfrm4_tunnel tunnel4 ipcomp xfrm_ipcomp esp4 ah4 af_key xfrm_algo snd_hrtimer binfmt_misc nls_iso8859_1 ir_lirc_codec lirc_dev rc_rc6_mce mceusb snd_hda_codec_via snd_hda_codec_generic kvm_amd kvm nvidia_uvm(POE) irqbypass input_leds serio_raw blackmagic(POE) k8temp snd_usb_audio snd_hda_codec_hdmi snd_usbmidi_lib gspca_sonixj gspca_main v4l2_common videodev media rc_imon_pad imon rc_core snd_hda_intel snd_ctxfi snd_hda_codec snd_hda_core snd_seq_midi snd_seq_midi_event shpchp snd_hwdep snd_rawmidi snd_seq snd_pcm snd_seq_device snd_timer snd soundcore asus_atk0110 i2c_nforce2 wmi mac_hid nfsd auth_rpcgss nfs_acl lockd grace sunrpc parport_pc ppdev lp parport ip_tables x_tables autofs4 dm_mirror dm_region_hash dm_log btrfs raid10 raid1 raid0 dm_raid raid456
[ 75.257835] async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c pata_acpi nvidia(POE) psmouse drm video firewire_ohci firewire_core floppy ahci fjes forcedeth libahci crc_itu_t pata_amd
[ 75.257848] CPU: 1 PID: 2837 Comm: BlackmagicFirmw Tainted: P D OE 4.8.0-25-generic #27-Ubuntu
[ 75.257850] Hardware name: System manufacturer System Product Name/M4N78 PRO, BIOS 1303 04/13/2011
[ 75.257852] task: ffff9dfb487e0d00 task.stack: ffff9dfb48490000
[ 75.257854] RIP: 0010:[<ffffffff9d82e647>] [<ffffffff9d82e647>] __check_object_size+0x77/0x1dc
[ 75.257860] RSP: 0018:ffff9dfb48493ca0 EFLAGS: 00010286
[ 75.257862] RAX: 0000000000000063 RBX: ffff9dfb48493d38 RCX: 0000000000000000
[ 75.257863] RDX: 0000000000000000 RSI: ffff9dfbf7c4dc68 RDI: ffff9dfbf7c4dc68
[ 75.257865] RBP: ffff9dfb48493cc0 R08: 000000000003eee3 R09: 0000000000000005
[ 75.257867] R10: ffff9dfb5fc43238 R11: 000000000000040a R12: 0000000000000010
[ 75.257868] R13: 0000000000000000 R14: ffff9dfb48493d48 R15: 00007ffdccd9da50
[ 75.257870] FS: 00007fbd30601780(0000) GS:ffff9dfbf7c40000(0000) knlGS:0000000000000000
[ 75.257872] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 75.257874] CR2: 00007fbd2f3e4150 CR3: 00000000a024a000 CR4: 00000000000006e0
[ 75.257875] Stack:
[ 75.257877] ffff9dfb48493d38 0000000000000010 00007ffdccd9da50 ffff9dfbed7436c8
[ 75.257880] ffff9dfb48493ce8 ffffffffc11c11eb ffff9dfb48493d38 0000000000010000
[ 75.257883] 0000000000000000 00007ffdccd9da50 ffffffffc11a377a ffff9dfb57e7d000
[ 75.257885] Call Trace:
[ 75.257946] [<ffffffffc11c11eb>] __dl_copy_from_user+0x1b/0x40 [blackmagic]
[ 75.257974] [<ffffffffc11a377a>] _ZN18IoctlMessageKernel6unpackEv+0x4a/0x160 [blackmagic]
[ 75.257997] [<ffffffffc116e62b>] ? blackmagic_ioctl_private+0x35db/0x4080 [blackmagic]
[ 75.258001] [<ffffffff9d7a18a2>] ? filemap_map_pages+0x202/0x410
[ ...

Read more...

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Hi David,

Can you run the following command with that running -proposed kernel:

grep HARDENED_USERCOPY_PAGESPAN= /boot/config-`uname -r`

Revision history for this message
David Lee (ramchyld) wrote :

I ran the command as requested, and got nothing

root@helen:~# grep HARDENED_USERCOPY_PAGESPAN= /boot/config-`uname -r`
root@helen:~#

There appears to be another kernel update today. However that update did not help with the issue.

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

@David Lee, that indicates that HARDENED_USERCOPY_PAGESPAN is not set.

@Vinson Lee, do you still see this bug with the latest -proposed kernel as well?

Revision history for this message
David Lee (ramchyld) wrote :

@Joseph Salisbury: I've upgraded to the latest kernel and the problem still persists. I'm starting to think it's a problem with the Blackmagic drivers?

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Closing this bug with Won't fix as this kernel / release is no longer supported.
Please feel free to open a new bug report if you're still experiencing this on a newer release (Bionic 18.04.3 / Disco 19.04)
Thanks!

Changed in linux (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.