arm64: usercopy: kernel memory overwrite attempt detected to (null) (<null>) (6 bytes)

Bug #1720229 reported by dann frazier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
In Progress
Undecided
dann frazier
Artful
In Progress
Undecided
dann frazier

Bug Description

[Impact]
I observed this stack trace when attempting to install the 2017.09.26 daily arm64/artful server ISO:

[ 107.816592] usercopy: kernel memory overwrite attempt detected to (null) (<null>) (6 bytes)
[ 107.818389] Internal error: Oops - BUG: 0 [#1] SMP
[ 107.819170] Modules linked in: raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear scsi_dh_alua scsi_dh_emc scsi_dh_hp_sw scsi_dh_rdac virtio_blk virtio_net nls_utf8 isofs usb_storage virtio_scsi
[ 107.823033] CPU: 0 PID: 8105 Comm: dmraid Not tainted 4.13.0-12-generic #13-Ubuntu
[ 107.824318] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[ 107.825490] task: ffff80007cfbe900 task.stack: ffff80007792c000
[ 107.826498] PC is at __check_object_size+0x114/0x200
[ 107.827349] LR is at __check_object_size+0x114/0x200
[ 107.828192] pc : [<ffff0000082b8534>] lr : [<ffff0000082b8534>] pstate: 00400145
[ 107.829458] sp : ffff80007792fb00
[ 107.830026] x29: ffff80007792fb00 x28: 0000000000000000
[ 107.830934] x27: 0000fffffa066520 x26: ffff80007ce6c000
[ 107.831840] x25: 000000000002001d x24: ffff80007ce60000
[ 107.832743] x23: 0000000000000006 x22: 0000000000000006
[ 107.833657] x21: 0000000000000000 x20: 0000000000000006
[ 107.834564] x19: 0000000000000000 x18: ffffffffffffffff
[ 107.835467] x17: 0000000000000000 x16: 0000000000000000
[ 107.836371] x15: ffff0000093b8c08 x14: 2820296c6c756e28
[ 107.837273] x13: 2020202020202020 x12: 2020206f74206465
[ 107.838175] x11: ffff0000093b9658 x10: ffff0000086a7e40
[ 107.839072] x9 : 746972777265766f x8 : 0000000000000017
[ 107.839972] x7 : 20293e6c6c756e3c x6 : ffff80007ffb5dc0
[ 107.840867] x5 : ffff80007ffb5dc0 x4 : 0000000000000000
[ 107.841771] x3 : ffff80007ffbe038 x2 : 0000000000040d00
[ 107.842668] x1 : 0000000000000000 x0 : 0000000000000059
[ 107.843566] Process dmraid (pid: 8105, stack limit = 0xffff80007792c000)
[ 107.844698] Stack: (0xffff80007792fb00 to 0xffff800077930000)
[ 107.845680] fb00: ffff80007792fb40 ffff0000084e22c0 ffff80007792fc40 ffff80007735ca08
[ 107.846998] fb20: ffff80007735c8c0 ffff0000093b8000 0000000000000006 ffff0000082cd088
[ 107.848319] fb40: ffff80007792fbf0 ffff0000084e2da4 ffff0000093b8000 0000000000002285
[ 107.849649] fb60: ffff80007ce60000 0000fffffa0664c8 ffff80007ce6c000 000000000002001d
[ 107.850974] fb80: ffff80007792fc40 ffff80007cfbe900 ffff000008a91000 ffff80007cfbe900
[ 107.852295] fba0: ffff80007792fc10 0000000000000000 ffff0000093b8000 0000000000000000
[ 107.853626] fbc0: ffff80007792fbf0 ffff0000082d022c ffff80007cfe9000 0000000000000000
[ 107.854944] fbe0: ffff80007cfe9000 0000000000040d00 ffff80007792fce0 ffff0000084e2f88
[ 107.856264] fc00: 0000000000002285 ffff80007a8d7a80 000000000002001d 0000fffffa0664c8
[ 107.857592] fc20: 0000fffffa0664c8 0000000000000009 0000000000000124 000000000000001d
[ 107.858917] fc40: fffffffd00000053 0000000400000006 000000000ed36f10 0000fffffa066520
[ 107.860240] fc60: 0000000000000000 0000000000001770 0000000000000000 0000000000000000
[ 107.861568] fc80: 0000000000000000 0000000000000000 0000000000000000 0000000000000200
[ 107.862890] fca0: 000000000ed2ee10 ffff80007792fe30 00000000000007ff 0000000000000fe4
[ 107.864214] fcc0: ffff80007792fce0 ffff0000084e2f6c 0000000000002285 0000000000040d00
[ 107.865539] fce0: ffff80007792fd10 ffff000000ae6798 ffff80007c873418 ffff80007a8d7a80
[ 107.866861] fd00: 000000000002001d 0000000000002285 ffff80007792fd50 ffff0000084d4294
[ 107.868184] fd20: 0000000000002285 ffff0000093b8000 0000fffffa0664c8 ffff80007a8d7a80
[ 107.869513] fd40: 000000000002001d ffffffffffffff9c ffff80007792fdc0 ffff0000083057f8
[ 107.870837] fd60: ffff80007ccac600 0000000000002285 0000fffffa0664c8 ffff80007ccac600
[ 107.872154] fd80: ffff80007cea0328 000000000000fc00 0000000000000000 0000000000000000
[ 107.873479] fda0: 0000000000001000 0000000000000000 0000000059cd5389 0000000000040d00
[ 107.874798] fdc0: ffff80007792fdf0 ffff0000082d4b4c ffff0000093b8000 0000000000002285
[ 107.876115] fde0: 0000fffffa0664c8 0000000000040d00 ffff80007792fe80 ffff0000082d530c
[ 107.877432] fe00: 0000000000000000 ffff80007ccac600 ffff80007ccac600 0000000000000009
[ 107.878757] fe20: 0000000000002285 0000fffffa0664c8 00006180000007ff 0000100000000001
[ 107.880075] fe40: ffff80007792fe80 ffff0000082d52d0 0000000000000000 ffff80007ccac600
[ 107.881398] fe60: ffff80007ccac600 0000000000000009 0000000000002285 0000000000040d00
[ 107.882723] fe80: 0000000000000000 ffff000008083930 0000000000000000 0000800076fe5000
[ 107.884044] fea0: ffffffffffffffff 0000ffffb982587c 0000000080000000 0000000000000015
[ 107.885365] fec0: 0000000000000009 0000000000002285 0000fffffa0664c8 0000000000000006
[ 107.886693] fee0: 0000000000000000 0000000000000004 0000ffffb98ba568 0000000000000050
[ 107.888012] ff00: 000000000000001d 0003ffffffffffff 0000000000000012 0000000000000011
[ 107.889338] ff20: 0000ffffb98ad000 00000000000000ff 0000ffffb99151f0 0000000000000531
[ 107.890666] ff40: 0000ffffb98ed348 0000ffffb9825870 0000000000000001 0000ffffb991b948
[ 107.891990] ff60: 0000000000000004 000000000ed36f10 0000000000000009 000000000ed2d260
[ 107.893311] ff80: 000000000ed36ee0 0000000000000003 0000ffffb98ba568 000000000ed36ee0
[ 107.894595] ffa0: 0000fffffa066628 0000fffffa0664a0 0000ffffb98ba5fc 0000fffffa0664a0
[ 107.895853] ffc0: 0000ffffb982587c 0000000080000000 0000000000000009 000000000000001d
[ 107.897109] ffe0: 0000000000000000 0000000000000000 00000000000000d8 0000000100000105

[Test Case]
http://bazaar.launchpad.net/~ubuntu-testcase/ubuntu-manual-tests/trunk/view/head:/testcases/image/1688_ARM64_Headless_KVM_Guest

[Regression Risk]
Clean cherry-pick queued for stable, so we'd be picking it up anyway.

Revision history for this message
dann frazier (dannf) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1720229

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: artful
Revision history for this message
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1720229

tags: added: iso-testing
dann frazier (dannf)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
dann frazier (dannf) wrote :

This can be easily reproduced on a running VM with the command:

sudo dmraid -r -c

Bisection shows that this regression was introduced with:

ca18d6f769d22e931d3ba1e8d1ae81953547a417 is the first bad commit
commit ca18d6f769d22e931d3ba1e8d1ae81953547a417
Author: Bart Van Assche <email address hidden>
Date: Tue Jun 20 11:15:41 2017 -0700

    block: Make most scsi_req_init() calls implicit

    Instead of explicitly calling scsi_req_init() after blk_get_request(),
    call that function from inside blk_get_request(). Add an
    .initialize_rq_fn() callback function to the block drivers that need
    it. Merge the IDE .init_rq_fn() function into .initialize_rq_fn()
    because it is too small to keep it as a separate function. Keep the
    scsi_req_init() call in ide_prep_sense() because it follows a
    blk_rq_init() call.

    References: commit 82ed4db499b8 ("block: split scsi_request out of struct request")
    Signed-off-by: Bart Van Assche <email address hidden>
    Cc: Christoph Hellwig <email address hidden>
    Cc: Hannes Reinecke <email address hidden>
    Cc: Omar Sandoval <email address hidden>
    Cc: Nicholas Bellinger <email address hidden>
    Signed-off-by: Jens Axboe <email address hidden>

:040000 040000 ee31876ef709a9f8cd4f22cf5f7856b33551fce7 d0bee2b06aad3ee1f98636692c410faa950b4421 M block
:040000 040000 87c490a081c83a4c5a4566805275d43560675254 40ecea9fd8c35cb11e4cd20a12fef32bf99e4a0f M drivers
:040000 040000 cc72534f639a3c4f55dc4b5d01e487ee4e59e7aa 95b6dcb4afcae8d2a6024123de8a95cfd1c3ede1 M fs
:040000 040000 27071201e8723e9f873e45886bd7f370b39bcb5c c6ab8cd38a8d2d7dffd915b931fdb4ff3b7880d1 M include

dann frazier (dannf)
Changed in linux (Ubuntu Artful):
assignee: nobody → dann frazier (dannf)
dann frazier (dannf)
Changed in linux (Ubuntu Artful):
status: Confirmed → In Progress
description: updated
Changed in linux (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Stefan Bader (smb) wrote :

The requested patch was already picked up as part of the 4.13.12 upstream stable set. Marking this bug as duplicate of the stable tracking bug.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.